The QinQ function enables packets to be
transmitted across the operators’ backbone networks with VLAN tags of
private networks encapsulated in those of public networks. In public networks,
packets of this type are transmitted by their outer VLAN tags (that is, the
VLAN tags of public networks). And those of private networks which are
encapsulated in the VLAN tags of public networks are shielded.
Figure 1-1 illustrates the structure of a packet with
single VLAN tag.
Figure 1-1 Structure of the packets with single
VLAN tag
Figure 1-2
illustrates the structure of a packet with nested VLAN tags.
Figure 1-2 Structure of packets with nested VLAN tags
Compared with MPLS-based Layer 2 VPN, QinQ has
the following features:
l
It enables Layer 2 VPN tunnels that are simpler.
l
QinQ can be implemented through manual
configuration, without the support of signaling protocols.
The QinQ function provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
Provides simple Layer 2 VPN solutions for
small-sized MANs or intranets.
QinQ can be implemented by enabling the
QinQ function on ports.
With the QinQ function enabled, a received
packet is tagged with the default VLAN tag of the receiving port no matter
whether or not the packet already carries a VLAN tag. If the packet already
carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise, the
packet becomes a packet carrying the default VLAN tag of the port.
1.2 QINQ Configuration
l
GARP VLAN registration protocol (GVRP), GARP
multicast registration protocol (GMRP), neighbor topology discovery protocol (NTDP),
spanning tree protocol (STP), 802.1x protocol, and voice VLAN are disabled on
the port.
l
The port is an access port.
Caution:
l
QinQ is not applicable to ports with any of the
functions among GVRP, GMRP, NTDP, STP, 802.1x, and voice VLAN enabled.
l
By default, STP and NTDP are enabled. You can
disable these two protocols using the stp disable and undo ntdp
enable commands.
Table 1-1 Configure QinQ
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable
QinQ for the port
|
vlan-vpn
enable
|
Required
By
default, QinQ is disabled on a port.
|
l
GVRP, GMRP, NTDP, STP, 802.1x, and Voice VLAN
are not applicable to ports with QinQ enabled.
l
If you use the copy configuration command
to duplicate the configuration of a port to a QinQ-enabled port, the
configuration concerning GVRP, GMRP, NTDP, STP, 802.1x, and Voice VLAN and the
port attributes are not duplicated.
You can verify QinQ configuration by
executing the display command in any view.
Table 1-2
Display QinQ configuration
|
Operation
|
Command
|
Description
|
|
Display the QinQ
configuration of all the ports
|
display port
vlan-vpn
|
This command can
be executed in any view.
|
1.4 QinQ Configuration Example
I. Network requirements
l
Switch A, Switch B, and Switch C are S7500
series switches.
l
Two networks are connected to the Ethernet1/0/1
ports of Switch A and Switch C.
l
Switch B only permits the packets of VLAN 10.
l
It is required that packets of the VLANs other
than VLAN 10 be exchanged between the networks connected to Switch A and Switch
C.
II. Network diagram
Figure 1-3 Network diagram for QinQ configuration
III. Configuration Procedure
1)
Configure Switch A and Switch C.
As the configuration performed on Switch A
and Switch C is the same, configuration on Switch C is omitted.
# Configure Ethernet1/0/2 port as a trunk
port. Add the port to VLAN 10.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface Ethernet1/0/2
[SwitchA-Ethernet1/0/2] port
link-type trunk
[SwitchA-Ethernet1/0/2] port
trunk permit vlan 10
# Enable QinQ for Ethernet1/0/1 port. Add
the port to VLAN 10.
[SwitchA-Ethernet1/0/2] quit
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] port access
vlan 10
[SwitchA-Ethernet1/0/1] stp disable
[SwitchA-Ethernet1/0/1] undo ntdp
enable
[SwitchA-Ethernet1/0/1] vlan-vpn
enable
[SwitchA-Ethernet1/0/1] quit
2)
Configure Switch B.
Configure Ethernet3/1/1 port and
Ethernet3/1/2 port as trunk ports. Add the two ports to VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface Ethernet 3/1/1
[SwitchB-Ethernet3/1/1] port
link-type trunk
[SwitchB-Ethernet3/1/1] port trunk
permit vlan 10
[SwitchB-Ethernet3/1/1] quit
[SwitchB] interface Ethernet 3/1/2
[SwitchB-Ethernet3/1/2] port
link-type trunk
[SwitchB-Ethernet3/1/2] port trunk
permit vlan 10
The following describes how a packet is forwarded from Switch A to
Switch C.
l
As QinQ is enabled on Ethernet1/0/1 port of
Switch A, when a packet from the user’s private network reaches
Ethernet1/0/1 port of Switch A, it is tagged with the default VLAN tag of the
port (VLAN 10 tag) and is then forwarded to Ethernet1/0/2 port.
l
When the packet reaches Ethernet3/1/2 port of
Switch B, it is forwarded in VLAN 10 and is passed to Ethernet3/1/1 port.
l
The packet is forwarded from Ethernet3/1/1 port
of Switch B to the network on the other side and reaches Ethernet1/0/2 port of
Switch C. Switch C forwards the packet in VLAN 10 to its Ethernet1/0/1 port. As
Ethernet1/0/1 port is an access port, the outer VLAN tag of the packet is
stripped off and the packet restores the original one.
l
It is the same case when a packet travels from
Switch C to Switch A.
After the configuration, the networks
connecting Switch A and Switch C can receive packets from each other.
On an S7500 series Ethernet switch, QinQ
can be implemented in the following ways.
l
Enabling QinQ on ports
In this type of implementations, QinQ is
enabled on ports and a received packet is tagged with the default VLAN tag of
the receiving port no matter whether or not the packet already carries a VLAN
tag. If the packet already carries a VLAN tag, the packet becomes a dual-tagged
packet. Otherwise, the packet becomes a packet carrying the default VLAN tag of
the port.
l
Enabling QinQ on ports and in VLANs
In this type of implementations, packets
transmitted through the same port are tagged with outer VLAN tags according to
the VLAN ID they carry. This is achieved by using the corresponding commands.
Selective QinQ configuration enables
packets to be tagged according to the VLAN ID they carry.
l
QinQ is enabled on ports.
l
The VLANs whose packets are permitted on
specific ports are configured.
Table 2-1 Configure selective QinQ
|
Operation
|
Command
|
Description
|
|
Enter system
view
|
system-view
|
—
|
|
Enter Ethernet
port view
|
interface interface-type interface-number
|
—
|
|
Enable QinQ for
the port
|
vlan-vpn
enable
|
Required
|
|
Configure the
outer VLAN tag by specifying the VLAN ID (This operation leads you to QinQ
view)
|
vlan-vpn vid vlan-id
|
Required
|
|
Specify the
inner VLAN tags by specifying VLAN IDs
|
raw-vlan-id
inbound vlan-id-list
|
Required
|
Caution:
l
You need to execute the vlan-vpn
enable command on the inbound
ports before performing the operations listed in Table
2-1.
l
QinQ is not applicable to ports with any of the
functions among GVRP, NTDP, STP, 802.1x, and Voice VLAN enabled.
I. Network requirements
l
Switch A is an S7500 series switch.
l
Enable QinQ on GigabitEthernet0/1/1 port. Set the
PVID of the port to 8.
l
The inner VLAN tags are configured.
l
Insert the tag of VLAN 10 to packets of VLAN 8
through VLAN 15 as the outer VLAN tag. Insert the tag of VLAN 100 to packets of
VLAN 20 through VLAN 25 as the outer VLAN tag.
II. Network diagram
Figure 2-1 Network diagram for selective QinQ configuration
III. Confiuguration procedure
# Enter system view.
<SwitchA> system-view
[SwitchA]
# Enter
GigabitEthernet0/1/1 port view.
[SwitchA] interface GigabitEthernet
0/1/1
# Configure the port
to be a hybrid port.
[SwitchA-GigabitEthernet0/1/1] port
link-type hybrid
# Configure the port to permit the packets
of all the VLANs.
[SwitchA-GigabitEthernet0/1/1] port
hybrid vlan 1 to 4094 tagged
# Set the PVID of the port to 8.
[SwitchA-GigabitEthernet0/1/1] port
hybrid pvid vlan 8
# Disable STP and NTDP.
[SwitchA-GigabitEthernet0/1/1] stp
disable
[SwitchA-GigabitEthernet0/1/1] undo
ntdp enable
# Enable QinQ.
[SwitchA-GigabitEthernet0/1/1]
vlan-vpn enable
# Specify the outer VLAN tag to be inserted
to packets.
[SwitchA-GigabitEthernet0/1/1]
vlan-vpn vid 10
# Specify the inner VLAN tags.
[SwitchA-GigabitEthernet0/1/1-vid-10]
raw-vlan-id inbound 8 to 15
# Specify the outer VLAN tag to be inserted
to packets.
[SwitchA-GigabitEthernet0/1/1-vid-10]
vlan-vpn vid 100
# Specify the inner
VLAN tags.
[SwitchA-GigabitEthernet0/1/1-vid-100]
raw-vlan-id inbound 20 to 25
The above
configuration causes the packets reaching GigabitEthernet0/1/1 port being
processed as follows:
l
Inserting VLAN 10 tag as the outer VLAN tag to
single-tagged packets with their tags being that of VLAN 8 through VLAN 15.
l
Inserting VLAN 100 tag as the outer VLAN tag to
single-tagged packets with their tags being that of VLAN 20 through VLAN 25.
l
Inserting VLAN 8 tag as the outer VLAN tag to
single-tagged packets with their tags being neither that of VLAN 8 through VLAN
15 nor that of VLAN 20 through VLAN 25.
