Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Operation Manual-Release 1205-(V1.03)
- 00-1Cover
- 00-2Overview
- 01-Login Operation
- 02-Basic System Configuration and Maintenance Operation
- 03-File System Management Operation
- 04-VLAN Operation
- 05-QinQ-BPDU TUNNEL Operation
- 06-Port Correlation Configuration Operation
- 07-MAC Address Table Management Operation
- 08-MSTP Operation
- 09-IP Address and Performance Operation
- 10-IPv6 Configuration Operation
- 11-Routing Overview Operation
- 12-IPV4 Routing Operation
- 13-IPv6 Routing Operation
- 14-802.1x-HABP-MAC Authentication Operation
- 15-AAA-RADIUS-HWTACACS Operation
- 16-Multicast Protocol Operation
- 17-ARP Operation
- 18-DHCP Operation
- 19-ACL Operation
- 20-QoS Operation
- 21-Port Mirroring Operation
- 22-Cluster Operation
- 23-SNMP-RMON Operation
- 24-NTP Operation
- 25-DNS Operation
- 26-Information Center Operation
- 27-NQA Operation
- 28-SSH Terminal Service Operation
- 29-UDP Helper Operation
- 30-SSL-HTTPS Operation
- 31-PKI Operation
- 32-PoE-PoE Profile Operation
- 33-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-QinQ-BPDU TUNNEL Operation | 269 KB |
Table of Contents
1.1.3 Adjustable TPID Value of QinQ Frames
1.3 Configuring Selective QinQ
1.4 Configuring TPID to be Adjustable
1.5 QinQ Configuration Example
1.6 QinQ-MSTP Cooperation Configuration Example
Chapter 2 BPDU Tunnel Configuration
2.1 Introduction to BPDU Tunnel
2.1.1 Problems in QinQ-Enabled Network
2.2.1 Configuration Prerequisites
2.3 BPDU Tunnel Configuration Example
Chapter 1 QinQ Configuration
1.1 Introduction to QinQ
1.1.1 Understanding QinQ
In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a device can support a maximum of 4,094 VLANs. In actual applications, however, a large number of VLAN are required to isolate users, especially in metropolitan area networks (MANs), and 4,094 VLANs are far from satisfying such requirements.
The port QinQ feature provided by the device enables the encapsulation of double VLAN tags within an Ethernet frame, with the inner VLAN tag being the customer network VLAN tag while the outer one being the VLAN tag assigned by the service provider to the customer. The devices of the service provider forward frames based on the outer VLAN tag and add the source MAC addresses to the MAC address table of the VLANs corresponding to the outer VLAN tags. However, the customer network VLAN tag is shielded during data transmission.
Figure 1-1 shows the structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature enables a device to support up to 4,094 x 4,094 VLANs to satisfy the requirement for the amount of VLANs in the MAN.
Figure 1-1 802.1Q-tagged frame structure vs. double-tagged Ethernet frame structure
Advantages of QinQ:
l Addresses the shortage of public VLAN ID resource
l Enables customers to plan their own VLAN IDs, with running into conflicts with public network VLAN IDs.
l Provides a simple Layer 2 VPN solution for small-sized MANs or intranets.
& Note:
The QinQ feature requires configurations only on the service provider network, and not on the customer network.
1.1.2 Implementations of QinQ
There are two types of QinQ implementations: basic QinQ and selective QinQ.
1) Basic QinQ
Basic QinQ is a port-based feature, which is implemented through VLAN VPN.
With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the port will tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged. If the received frame is already tagged, this frame becomes a double-tagged frame; if it is an untagged frame, it is tagged with the port’s default VLAN tag.
2) Selective QinQ
l Selective QinQ is more flexible and is implemented based on both VLAN tag and port. In addition to all the functions of basic QinQ, selective QinQ can take different actions based on the VLAN tags carried by received frames, including to tag received frames with different outer VLAN tags based on the inner VLAN tags.
& Note:
For an S5500-SI switch with both basic QinQ function and selective QinQ function enabled, packets received are processed according to the settings of selective QinQ first. Those that do not match selective QinQ settings are tagged with outer VLAN tags according to the basic QinQ settings.
1.1.3 Adjustable TPID Value of QinQ Frames
A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100.
Figure 1-2 shows the structure of an Ethernet frame defined in IEEE802.1Q.
Figure 1-2 Tag structure of an Ethernet frame
Normally, a frame with the TPID field being 0x8100 is regarded carrying a VLAN tag with it and is processed in the preset way when it reaches a switch. Those with their TPID not being 0x8100 are regarded carrying no VLAN tag.
After you configure the TPID value to be adjustable, the switch replaces the TPID value in the outer VLAN tag of a received frame with the customer-defined value before forwarding the frame, so that the frame, when arriving at the public network, is of specific protocol type. This enables a switch to communicate with devices of other vendors.
1.2 Configuring Basic QinQ
Follow these steps to configure basic QinQ:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Use either command Configured in Ethernet port view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enable QinQ for the Ethernet port |
qinq enable |
Required Disabled by default. |
|
1.3 Configuring Selective QinQ
The outer VLAN tag inserted by the basic QinQ feature is the VLAN tag corresponding to the port’s default VLAN ID, while the selective QinQ feature can add different VLAN tags according to the inner VLAN tags carried in received frames.
Frames that do not match tag mapping rules defined for the selective QinQ function are tagged with the default outer VLAN tag of the port they reach if the basic QinQ function is enabled. However, if the basic QinQ function is not enabled, the packets will be dropped.
Follow these steps to configure the selective QinQ function
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Use either command Configured in Ethernet port view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Configure the outer VLAN tag to be added to received frames and enter QinQ view |
qinq vid vlan-id |
Required By default, no outer VLAN tag is specified. |
|
|
Specify the VLANs whose frames are to be tagged with the outer VLAN tag |
raw-vlan-id inbound { all | vlan-id-list } |
Required By default, a frame is not tagged with an outer VLAN tag no matter which VLAN it belongs to. |
|
Caution:
l Selective QinQ can be configured on access ports/trunk ports/hybrid ports connecting customer networks to service provider networks.
l An inner VLAN tag corresponds to only one outer VLAN tag. To change an outer VLAN tag, you must remove it first and then reconfigure one.
l When you use the qing vid command to configure selective QinQ, the configuration to remove tags of the packets on the outgoing port of the local switch or the configuration to permit the packets with tags on the corresponding ports of the other switches is required.
1.4 Configuring TPID to be Adjustable
Follow these steps to configure TPID to be adjustable:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
- |
|
Configure a global QinQ TPID |
qinq ethernet-type hex-value |
Optional 0x8100 by default |
& Note:
Enable the TPID adjustable function in service provider networks only.
1.5 QinQ Configuration Example
I. Network requirements
l Provider 1 and Provider 2 service provider network access devices.
l Customer 1, Customer 2 and Customer 3 are customer network access devices.
l Provider 1 and Provider 2 are interconnected through trunk ports. Frames of VLAN 1000 and VLAN 2000 in the service provider network are permitted.
l Customer 1 can send frames of VLAN 10 and VLAN 20. It is required that frames of VLAN 10 can be exchanged between Customer 1 and Customer 2, and those of VLAN 20 can be exchanged between Customer 1 and Customer 3.
l QinQ is enabled for GigabitEthernet1/0/2 of Provider 1 and GigabitEthernet1/0/3 of Provider 2. The QinQ TPID of the both is 0x8200.
II. Network diagram
Figure 1-3 Network diagram for QinQ configuration
III. Configuration procedure
& Note:
With this configuration, the user must allow the QinQ packets to pass between the devices of the service providers.
1) Configuration on Provider 1
Enter system view
<Sysname> system-view
# Configure GigabitEthernet1/0/1 as a hybrid port, and permit frames of VLAN 1000 and VLAN 2000 to pass without outer VLAN tags.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type hybrid
[Sysname-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 untagged
# Tag the frames of VLAN 10 with the tag of VLAN 1000 as the outer tags.
[Sysname-GigabitEthernet1/0/1] qinq vid 1000
[Sysname-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10
[Sysname-GigabitEthernet1/0/1-vid-1000] quit
# Tag the frames of VLAN 20 with the tag VLAN 2000 as the outer tags.
[Sysname-GigabitEthernet1/0/1] qinq vid 2000
[Sysname-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20
[Sysname-GigabitEthernet1/0/1-vid-2000] quit
[Sysname-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and permit frames of VLAN 1000 and VLAN 2000 to pass.
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port link-type trunk
[Sysname-GigabitEthernet1/0/2] port trunk permit vlan 1000 2000
[Sysname-GigabitEthernet1/0/2] quit
# Set the global QinQ TPID to 0x8200.
[Sysname] qinq ethernet-type 8200
# Configure GigabitEthernet1/0/4 as a hybrid port, and configure the port to send packets of VLAN 1000 without outer VLAN tags.
[Sysname] interface GigabitEthernet 1/0/4
[Sysname-GigabitEthernet1/0/4] port link hybrid
[Sysname-GigabitEthernet1/0/4] port hybrid vlan 1000 untagged
# Tag frames of VLAN 10 with the VLAN tag of VLAN 1000 as the outer tags.
[Sysname-GigabitEthernet1/0/4] qinq vid 1000
[Sysname-GigabitEthernet1/0/4-vid-1000] raw-vlan-id inbound 10
[Sysname-GigabitEthernet1/0/4-vid-1000] quit
2) Configuration on Provider 2
# Configure GigabitEthernet 1/0/3 as a trunk port, and permit frames of VLAN 1000 and VLAN 2000 to pass.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/3
[Sysname-GigabitEthernet1/0/3] port link-type trunk
[Sysname-GigabitEthernet1/0/3] port trunk permit vlan 1000 2000
[Sysname-GigabitEthernet1/0/3] quit
# Set the global QinQ TPID to 0x8200.
[Sysname] qinq ethernet-type 8200
# Configure GigabitEthernet1/0/5 as a hybrid port, and configure the port to send packets of VLAN 2000 without outer VLAN tags.
[Sysname] interface GigabitEthernet 1/0/5
[Sysname-GigabitEthernet1/0/5] port link hybrid
[Sysname-GigabitEthernet1/0/5] port hybrid vlan 2000 untagged
# Tag frames of VLAN 20 with the VLAN tag of VLAN 2000 as the outer tags.
[Sysname-GigabitEthernet1/0/4] qinq vid 2000
[Sysname-GigabitEthernet1/0/4-vid-2000] raw-vlan-id inbound 20
[Sysname-GigabitEthernet1/0/4-vid-2000] quit
After the above configuration, frames from VLAN 10 and VLAN 20 on Customer 1 are double-tagged when transmitted by the trunk ports of Provider 1 and Provider 2:
l Frames from VLAN 10 are transmitted with the tag of VLAN 1000 as the outer tag, and the TPID carried in the outer tag being 0x8200.
l Frames from VLAN 20 are transmitted with the tag of VLAN 2000 as the outer tags and the TPID carried in the outer tag being 0x8200.
1.6 QinQ-MSTP Cooperation Configuration Example
I. Network requirements
Configure MSTP so that packets of different VLANs are forwarded along different spanning trees. Configurations concerning MSTP are as follows:
l All the devices in the network belong to the same MST region.
l Packets of VLAN 10 are forwarded along MST instance 1, those of VLAN 30 are forwarded along MST instance 3, those of VLAN 40 are forwarded along MST instance 4, and those of VLAN 20 are forwarded along MST instance 0.
l Switch A and Switch B operate on the convergence layer, while Switch C and Switch D operate on access layer. VLAN 10 and VLAN 30 are terminated on the convergence layer devices, and VLAN 40 is terminated on the access layer devices. So the root bridges of MST instance 1 and MST instance 3 are Switch A and Switch B, and that of MST instance 4 is Switch C.
The specific QinQ configuration requirements are as follows:
l QinQ is enabled on GigabitEthernet1/0/4 of Switch C. The port belongs to VLAN 10 and VLAN 20. This port tags packets from VLAN 10 with outer VLAN tag of VLAN 1000 and packets from VLAN 20 with outer VLAN tag of VLAN 2000.
l Outer VLAN tags of VLAN 1000 and VLAN 2000 are removed on GigabitEthernet1/0/2.
II. Network diagram
Figure 1-4 Network diagram for QinQ-MSTP cooperation configuration
& Note:
“Permit:” beside each link in the above figure is followed by the VLANs whose packets are permitted to pass the link.
III. Configuration procedure
1) Configuration on Switch C
# Configure an MST region.
<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] region-name example
[Sysname-mst-region] instance 1 vlan 10
[Sysname-mst-region] instance 3 vlan 30
[Sysname-mst-region] instance 4 vlan 40
[Sysname-mst-region] revision-level 0
# Activate MST region configuration manually.
[Sysname-mst-region] active region-configuration
# Configure Switch C as the root bridge of MST instance 4.
[Sysname] stp instance 4 root primary
# Display the configuration of currently effective MST regions.
[Sysname] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0
Instance Vlans Mapped
0 1 to 9, 11 to 29, 31 to 39, 41 to 4094
1 10
3 30
4 40
2) Configure QinQ for GigabitEthernet1/0/2 of Switch C
# Enter system view to create the corresponding VLANs.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] vlan 20
[Sysname-vlan20] quit
# Enter Ethernet port view of GigabitEthernet1/0/4 to perform related configuration.
[Sysname] interface GigabitEthernet1/0/4
[Sysname-GigabitEthernet1/0/4] port link-type trunk
[Sysname-GigabitEthernet1/0/4] port trunk permit vlan 10 20 1000 2000
# Tag packets from VLAN 10 with the outer VLAN tag of VLAN 1000.
[Sysname-GigabitEthernet1/0/4] qinq vid 1000
[Sysname-GigabitEthernet1/0/4-vid-1000] raw-vlan-id inbound 10
[Sysname-GigabitEthernet1/0/4-vid-1000] quit
# Tag packets from VLAN 20 with the outer VLAN tag of VLAN 2000.
[Sysname-GigabitEthernet1/0/4] qinq vid 2000
[Sysname-GigabitEthernet1/0/4-vid-2000] raw-vlan-id inbound 20
[Sysname-GigabitEthernet1/0/4-vid-2000] quit
[Sysname-GigabitEthernet1/0/4] quit
# Configure GigabitEthernet1/0/2 as a hybrid port, and configure to remove outer VLAN tags of VLAN 1000 and VLAN 2000.
[Sysname] interface GigabitEthernet1/0/2
[Sysname-GigabitEthernet1/0/2] port link-type hybrid
[Sysname-GigabitEthernet1/0/2] port hybrid vlan 1000 2000 untagged
Caution:
l When using the qing vid command to configure selective QinQ, you need to remove tags of the packets on the outgoing port of the local switch or configure to permit the packets with tags on the corresponding ports of the other switches.
l In this example, the tags of packets are removed on the outgoing port.
Chapter 2 BPDU Tunnel Configuration
2.1 Introduction to BPDU Tunnel
2.1.1 Problems in QinQ-Enabled Network
In a QinQ implementation, as the service provider network is transparent to customer networks, any redundant links between the two bring about loops. To solve this problem, the service provider network need to be capable of transmitting STP/RSTP/MSTP packets transparently, through which spanning trees of customer networks can be established cross the service provider network and loops can thus be eliminated.
STP/RSTP/MSTP identifies the network topology by transmitting bridge protocol data units (BPDUs) between network devices. For the purpose of transmitting BPDUs transparently in service provider networks, the following requirements must be satisfied:
l All branches in a customer network can receive their own BPDUs.
l BPDUs of different customer networks must be isolated from each other.
The above mentioned can be achieved in the following ways.
l When a port receives a BPDU, tag it with the VLAN tag assigned to the customer by the service provider. Thus, the BPDU can be forwarded as a normal packet in the service provider network.
l To prevent a BPDU from being processed by devices in the service provider network, assign a specific multicast MAC address to the tagged BPDU as the destination MAC address. At the same time, tag the BPDU with the VLAN tag of the service provider network. Thus, BPDUs can be forwarded in VLANs of the service provider network; on the other hand, a BPDU traveling alone a BPDU tunnel can be identified by the specific multicast MAC address. When the BPDU leaves the service provider network, its outer VLAN tag is removed and its destination MAC address is restored to the original destination MAC address of the BPDU.
2.1.2 Why BPDTU Tunnel
BPDU tunnel enables customer networks to exchange BPDUs transparently through QinQ-enabled devices in service provider networks.
After you enable STP BPDUs to be transparently transmitted in service provider networks, uniform STP calculation can be performed in different customer networks, and the spanning trees of customer networks and those in service provider networks are independent of each other.
As shown in Figure 2-1, the upper part is the service provider network, and the lower part represents customer networks. The service provider network comprises BPDU input/output devices. Network A and network B are customer networks. By enabling the BPDU tunnel function on the BPDU input/output devices in the service provider network, you can have BPDUs of customer networks transparently transmitted in the service provider network.
Figure 2-1 Network hierarchy of BPDU tunnel
In this case, BPDUs are processed in the following way in the service provider network.
l At the BPDU input side, a BPDU is tagged with the VLAN tag assigned to the customer network by the service provider, and the destination MAC address of the BPDU is changed to a multicast MAC address. Figure 2-2 shows the format of a BPDU traveling in a service provider network.
Figure 2-2 Format of a BPDU packet traveling in a service provider network
l At the packet output side, BPDUs with the specific multicast MAC addresses are sent to the customer networks after they are passed to the CPU for being processed and are restored to the original ones.
2.2 Configuring BPDU Tunnel
2.2.1 Configuration Prerequisites
MSTP is enabled on the devices.
2.2.2 Configuring BPDU Tunnel
Perform the following tasks to configure BPDU tunnel:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable BPDU tunnel globally |
bpdu-tunnel dot1q enable |
Optional Enabled by default BPDU tunnel is available to a port only when it is enabled globally. |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Use either command Configuration performed in Ethernet port view applies to the current port only. Configuration performed in port group view applies to all the ports in the port group. |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enable BPDU tunnel for the Ethernet port |
bpdu-tunnel dot1q enable |
Required Disabled by default When BPDU tunnel is enabled, BPDUs of the service provider network are isolated from those of the customer networks. |
|
|
Disable STP for the Ethernet port |
stp disable |
Required Enabled by default Before enabling STP BDPU tunnel for an Ethernet port, you need to disable STP for the port. |
|
|
Enable STP BPDU tunnel for the Ethernet port |
bpdu-tunnel dot1q stp |
Required By configuring this command on the port with BPDU tunnel enabled, STP BPDU tunnel is enabled for the port. |
|
& Note:
l For an Ethernet port, as STP is incompatible with STP BPDU tunnel, the two features cannot be enabled at the same time. Before enabling STP BPDU tunnel for a port, make sure STP is not enabled on the port.
l For an Ethernet port, as the BPDU tunnel feature is incompatible with GVRP, the two features cannot be enabled at the same time. Before enabling BPDU tunnel for a port, make sure GVRP is not enabled on the port.
l For an Ethernet port, as the BPDU tunnel feature is incompatible with NTDP, the two features cannot be enabled at the same time. Before enabling BPDU tunnel for a port, make sure NTDP is not enabled on the port (you can use the undo ntdp enable command to disable NTDP). For information about NTDP, refer to the Cluster part in this manual.
2.3 BPDU Tunnel Configuration Example
I. Network requirements
l Customer 1, Customer 2, Customer 3, and Customer 4 are access devices of customer networks.
l Provider 1, Provider 2, and Provider 3 are access devices of the service provider network, which are interconnected through trunk ports. They belong to VLAN 2 of the service provider network.
l STP BPDU tunnel is enabled on GigabitEthernet1/0/4, GigabitEthernet1/0/3, and GigabitEthernet1/0/5. STP packets from Customer 1, Customer 3 and Customer 4 can be transmitted transparently in the service provider network.
l BPDU tunnel is enabled on GigabitEthernet1/0/2 to isolate BPDUs of Customer 2 from those of the service provider network.
II. Network diagram
Figure 2-3 Network diagram for BPDU tunnel configuration
III. Configuration procedure
1) Configuration on Provider 1
# Enable STP BPDU tunnel for GigabitEthernet 1/0/4.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/4
[Sysname-GigabitEthernet1/0/4] port access vlan 2
[Sysname-GigabitEthernet1/0/4] stp disable
[Sysname-GigabitEthernet1/0/4] bpdu-tunnel dot1q enable
[Sysname-GigabitEthernet1/0/4] bpdu-tunnel dot1q stp
2) Configuration on Provider 2
# Enable BPDU tunnel for GigabitEthernet 1/0/2.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port access vlan 4
[Sysname-GigabitEthernet1/0/2] bpdu-tunnel dot1q enable
3) Configuration on Provider 3
# Enable STP BPDU tunnel for GigabitEthernet 1/0/3.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/3
[Sysname-GigabitEthernet1/0/3] port access vlan 2
[Sysname-GigabitEthernet1/0/3] stp disable
[Sysname-GigabitEthernet1/0/3] bpdu-tunnel dot1q enable
[Sysname-GigabitEthernet1/0/3] bpdu-tunnel dot1q stp
[Sysname-GigabitEthernet1/0/3] quit
# Enable STP BPDU tunnel for GigabitEthernet 1/0/5.
[Sysname] interface GigabitEthernet 1/0/5
[Sysname-GigabitEthernet1/0/5] port access vlan 2
[Sysname-GigabitEthernet1/0/5] stp disable
[Sysname-GigabitEthernet1/0/5] bpdu-tunnel dot1q enable
[Sysname-GigabitEthernet1/0/5] bpdu-tunnel dot1q stp
