In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a device can support a maximum of 4,094 VLANs. In actual applications, however, a large number of VLAN are required to isolate users, especially in metropolitan area networks (MANs), and 4,094 VLANs are far from satisfying such requirements.

The port QinQ feature provided by the H3C S3610&S5510 series Ethernet switches enables the encapsulation of double VLAN tags within an Ethernet frame, with the inner VLAN tag being the customer network VLAN tag while the outer one being the VLAN tag assigned by the service provider to the customer. The devices of the service provider forward frames based on the outer VLAN tag and add the source MAC addresses to the MAC address table of the VLANs corresponding to the outer VLAN tags. However, the customer network VLAN tag is shielded during data transmission.

0 shows the structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature enables a device to support up to 4,094 x 4,094 VLANs to satisfy the requirement for the amount of VLANs in the MAN.

Figure 1-1 802.1Q-tagged frame structure vs. double-tagged Ethernet frame structure

Advantages of QinQ:

l Addresses the shortage of public VLAN ID resource

l Enables customers to plan their own VLAN IDs, with running into conflicts with public network VLAN IDs.

l Provides a simple Layer 2 VPN solution for small-sized MANs or intranets.

& Note:

The QinQ feature requires configurations only on the service provider network, and not on the customer network.

1.1.2 Implementations of QinQ

There are two types of QinQ implementations: basic QinQ and selective QinQ.

1) Basic QinQ

Basic QinQ is a port-based feature, which is implemented through VLAN VPN.

With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the port will tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged. If the received frame is already tagged, this frame becomes a double-tagged frame; if it is an untagged frame, it is tagged with the port’s default VLAN tag.

2) Selective QinQ

Selective QinQ is more flexible and is implemented based on both VLAN tag and port. In addition to all the functions of basic QinQ, selective QinQ can take different actions based on the VLAN tags carried by received frames, including to tag received frames with different outer VLAN tags based on the inner VLAN tags.

1.1.3 Adjustable TPID Value of QinQ Frames

A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100.

Figure 1-2 shows the structure of an Ethernet frame defined in IEEE802.1Q.

Figure 1-2 Tag structure of an Ethernet frame

On devices of different vendors, the TPID fields of the outer VLAN tags of QinQ frames may have different default values. You can set TPID values for QinQ frames to enable them to be recognized and processed by devices of other vendors. When a port receives a frame, it tags the frame with an outer VLAN tag with the specified TPID value before forwarding it. In this way, a QinQ frame sent to the public network can be of a specific protocol type, thus implementing interoperability with devices of other vendors.

1.2 Basic QinQ Configuration

Follow these steps to configure basic QinQ:

To do...		Use the command...	Remarks
Enter system view		system-view	—
Enter Ethernet port view or port group view	Enter Ethernet port view	interface interface-type interface-number	Use either command Configured in Ethernet port view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group
Enter Ethernet port view or port group view	Enter port group view	port-group { manual port-group-name \| aggregation agg-id }
Enable basic QinQ for the Ethernet port		qinq enable	Required Disabled by default.

& Note:

l For the same port, the basic QinQ feature and the selective QinQ feature cannot be enabled simultaneously.

l Do not enable the Voice VLAN feature and the basic QinQ feature at the same time. Otherwise, the voice VLAN feature may operate improperly.

1.3 Selective QinQ Configuration

The outer VLAN tag inserted by the basic QinQ feature is the VLAN tag corresponding to the port’s default VLAN ID, while the selective QinQ feature can add different VLAN tags according to the inner VLAN tags carried in received frames.

& Note:

l For the same port, the selective QinQ feature and the basic QinQ feature cannot be enabled simultaneously.

l Do not enable the Voice VLAN feature and the selective QinQ feature at the same time. Otherwise, the voice VLAN feature may operate improperly.

Follow these steps to configure the selective QinQ function

To do...		Use the command...	Remarks
Enter system view		system-view	—
Enter Ethernet port view or port group view	Enter Ethernet port view	interface interface-type interface-number	Use either command Configured in Ethernet port view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group
Enter Ethernet port view or port group view	Enter port group view	port-group { manual port-group-name \| aggregation agg-id }
Create a QinQ instance (which also leads you to QinQ view) to configure the outer VLAN tag to be added to received frames		qinq vid vlan-id	Required By default, no outer VLAN tag is specified.
Specify the VLANs whose frames are to be tagged with the outer VLAN tag		raw-vlan-id inbound { all \| vlan-id-list }	Required By default, a frame is not tagged with an outer VLAN tag no matter which VLAN it belongs to.

Caution:

l Selective QinQ can be configured on access ports/trunk ports/hybrid ports connecting customer networks to service provider networks.

l An inner VLAN tag corresponds to only one outer VLAN tag. To change an outer VLAN tag, you must remove it first and then reconfigure one.

l When you use the qing vid command to configure selective QinQ, the configuration to remove tags of the packets on the outgoing port of the local switch or the configuration to permit the packets with tags on the corresponding ports of the other switches is required.

1.4 Adjustable TPID Configuration

Follow these steps to configure the TPID values of frames for a port:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Enter Ethernet port view	interface interface-type interface-number	—
Configure a global QinQ TPID	qinq ethernet-type hex-value	Optional 0x8100 by default

& Note:

The S3610&S5510 series Ethernet switches support only one TPID value at a time besides that defined in IEEE 802.1Q. That is, the TPID values configured for multiple ports of a switch must be the same.

1.5 QinQ Configuration Example

I. Network requirements

l Provider 1 and Provider 2 service provider network access devices.

l Customer 1, Customer 2 and Customer 3 are customer network access devices.

l Provider 1 and Provider 2 are interconnected through trunk ports. Frames of VLAN 1000 and VLAN 2000 in the service provider network are permitted.

l Customer 1 can send frames of VLAN 10 and VLAN 20. It is required that frames of VLAN 10 can be exchanged between Customer 1 and Customer 2, and those of VLAN 20 can be exchanged between Customer 1 and Customer 3.

l QinQ is enabled for Ethernet1/0/2 of Provider 1 and Ethernet1/0/3 of Provider 2. The QinQ TPID of the both is 0x8200.

II. Network diagram

Figure 1-3 Network diagram for QinQ configuration

III. Configuration procedure

& Note:

With this configuration, the user must allow the QinQ packets to pass between the devices of the service providers.

1) Configuration on Provider 1

# Enter system view

<Sysname> system-view

# Configure Ethernet1/0/1 as a hybrid port, and permit the frames of VLAN 10, VLAN 20, VLAN 1000 and VLAN 2000. Remove the tags of the frames of VLAN 1000 and VLAN 2000 before forwarding the frames. Keep the tags of the frames of VLAN 10 and VLAN 20 untouched.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port link-type hybrid

[Sysname-Ethernet1/0/1] port hybrid vlan 10 20 tagged

[Sysname-Ethernet1/0/1] port hybrid vlan 1000 2000 untagged

# Add the tag of VLAN 1000 as the outer tag for the frames of VLAN 10.

[Sysname-Ethernet1/0/1] qinq vid 1000

[Sysname-Ethernet1/0/1-vid-1000] raw-vlan-id inbound 10

[Sysname-Ethernet1/0/1-vid-1000] quit

# Add the tag of VLAN 2000 as the outer tag for the frames of VLAN 20.

[Sysname-Ethernet1/0/1] qinq vid 2000

[Sysname-Ethernet1/0/1-vid-2000] raw-vlan-id inbound 20

[Sysname-Ethernet1/0/1-vid-2000] quit

[Sysname-Ethernet1/0/1] quit

# Configure Ethernet 1/0/2 as a trunk port, and permit the frames of VLAN 1000 and VLAN 2000.

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] port link-type trunk

[Sysname-Ethernet1/0/2] port trunk permit vlan 1000 2000

# Set the TPID value of Ethernet1/0/2 to 0x8200.

[Sysname-Ethernet1/0/2] qinq ethernet-type 8200

2) Configuration on Provider 2

# Configure Ethernet 1/0/3 as a trunk port, and permit the frames of VLAN 1000 and VLAN 2000.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/3

[Sysname-Ethernet1/0/3] port link-type trunk

[Sysname-Ethernet1/0/3] port trunk permit vlan 1000 2000

# Set the QinQ TPID value of Ethernet1/0/3 to 0x8200.

[Sysname-Ethernet1/0/3] qinq ethernet-type 8200

[Sysname-Ethernet1/0/3] quit

# Configure Ethernet1/0/4 as a hybrid port, and configure the port to permit the frames of VLAN 10 and VLAN 1000. Remove the tags of frames of VLAN 1000 when these frames are forwarded and keep those of the frames of VLAN 10 untouched.

[Sysname] interface Ethernet 1/0/4

[Sysname-Ethernet1/0/4] port link-type hybrid

[Sysname-Ethernet1/0/4] port hybrid vlan 10 tagged

[Sysname-Ethernet1/0/4] port hybrid vlan 1000 untagged

# Add the tag of VLAN 1000 as the outer tag for the frames of VLAN 10.

[Sysname-Ethernet1/0/4] qinq vid 1000

[Sysname-Ethernet1/0/4-vid-1000] raw-vlan-id inbound 10

[Sysname-Ethernet1/0/4-vid-1000] quit

# Configure Ethernet1/0/5 as a hybrid port, and configure the port to permit the frames of VLAN 20 and VLAN 2000. Remove the tags of the frames of VLAN 2000 when these frames are forwarded and keep those of the frames of VLAN 20 untouched.

[Sysname] interface Ethernet 1/0/5

[Sysname-Ethernet1/0/5] port link-type hybrid

[Sysname-Ethernet1/0/5] port hybrid vlan 20 tagged

[Sysname-Ethernet1/0/5] port hybrid vlan 2000 untagged

# Add the tag of VLAN 2000 as the outer VLAN tag for frames of VLAN 20.

[Sysname-Ethernet1/0/5] qinq vid 2000

[Sysname-Ethernet1/0/5-vid-2000] raw-vlan-id inbound 20

[Sysname-Ethernet1/0/5-vid-2000] quit

After the above configuration, the frames of VLAN 10 and VLAN 20 coming from Customer 1 are double-tagged when transmitted by the trunk ports of Provider 1 and Provider 2:

l The frames from VLAN 10 are transmitted with the tag of VLAN 1000 as the outer tag, and the TPID carried in the outer tag being 0x8200.

l The frames from VLAN 20 are transmitted with the tag of VLAN 2000 as the outer tags and the TPID carried in the outer tag being 0x8200.

Chapter 2 BPDU Tunnel Configuration

2.1 Introduction to BPDU Tunnel

2.1.1 Problems in QinQ-Enabled Network

In a QinQ implementation, as the service provider network is transparent to customer networks, any redundant links between the two bring about loops. To solve this problem, the service provider network need to be capable of transmitting STP/RSTP/MSTP packets transparently, through which spanning trees of customer networks can be established cross the service provider network and loops can thus be eliminated.

STP/RSTP/MSTP identifies the network topology by transmitting bridge protocol data units (BPDUs) between network devices. For the purpose of transmitting BPDUs transparently in service provider networks, the following requirements must be satisfied:

l All branches in a customer network can receive their own BPDUs.

l BPDUs of different customer networks must be isolated from each other.

The above mentioned can be achieved in the following ways.

l When a port receives a BPDU, tag it with the VLAN tag assigned to the customer by the service provider. Thus, the BPDU can be forwarded as a normal packet in the service provider network.

l To prevent a BPDU from being processed by devices in the service provider network, assign a specific multicast MAC address to the tagged BPDU as the destination MAC address. At the same time, tag the BPDU with the VLAN tag of the service provider network. Thus, BPDUs can be forwarded in VLANs of the service provider network; on the other hand, a BPDU traveling alone a BPDU tunnel can be identified by the specific multicast MAC address. When the BPDU leaves the service provider network, its outer VLAN tag is removed and its destination MAC address is restored to the original destination MAC address of the BPDU.

2.1.2 Why BPDU Tunnel

BPDU tunnel enables customer networks to exchange BPDUs transparently through QinQ-enabled devices in service provider networks.

After you enable STP BPDUs to be transparently transmitted in service provider networks, uniform STP calculation can be performed in different customer networks, and the spanning trees of customer networks and those in service provider networks are independent of each other.

As shown in Figure 2-1, the upper part is the service provider network, and the lower part represents customer networks. The service provider network comprises BPDU input/output devices. Network A and network B are customer networks. By enabling the BPDU tunnel function on the BPDU input/output devices in the service provider network, you can have BPDUs of customer networks transparently transmitted in the service provider network.

Figure 2-1 Network hierarchy of BPDU tunnel

In this case, BPDUs are processed in the following way in the service provider network.

l At the BPDU input side, a BPDU is tagged with the VLAN tag assigned to the customer network by the service provider, and the destination MAC address of the BPDU is changed to a multicast MAC address (0100-0CCD-CDD0). Figure 2-2 shows the format of a BPDU traveling in a service provider network.

Figure 2-2 Format of a BPDU packet traveling in a service provider network

l At the packet output side, BPDUs with the specific multicast MAC addresses are sent to the customer networks after they are passed to the CPU for being processed and are restored to the original ones.

Caution:

When performing BPDU Tunnel configuration to enable BPDUs from the customer network to be transmitted through the service provider network transparently, you need to make sure that the VLAN tags of the BPDUs are not changed or removed. Otherwise, the BPDUs cannot be transmitted properly.

2.2 BPDU Tunnel Configuration

2.2.1 Configuration Prerequisites

MSTP is enabled on the devices.

2.2.2 Configuring BPDU Tunnel

Perform the following tasks to configure BPDU tunnel:

To do...		Use the command...	Remarks
Enter system view		system-view	—
Enable BPDU tunnel globally		bpdu-tunnel dot1q enable	Optional Enabled by default BPDU tunnel is available to a port only when it is enabled globally.
Enter Ethernet port view or port group view	Enter Ethernet port view	interface interface-type interface-number	Use either command Configuration performed in Ethernet port view applies to the current port only. Configuration performed in port group view applies to all the ports in the port group.
Enter Ethernet port view or port group view	Enter port group view	port-group { manual port-group-name \| aggregation agg-id }
Enable BPDU tunnel for the Ethernet port		bpdu-tunnel dot1q enable	Required Disabled by default When BPDU tunnel is enabled, BPDUs of the service provider network are isolated from those of the customer networks.
Disable STP for the Ethernet port		stp disable	Required Enabled by default
Enable STP BPDU tunnel for the Ethernet port		bpdu-tunnel dot1q stp	Required By configuring this command on the port with BPDU tunnel enabled, STP BPDU tunnel is enabled for the port.

& Note:

l For an Ethernet port, as STP is incompatible with STP BPDU tunnel, the two features cannot be enabled at the same time. Before enabling STP BPDU tunnel for a port, make sure STP is not enabled on the port.

l For an Ethernet port, as the BPDU tunnel feature is incompatible with GVRP, the two features cannot be enabled at the same time. Before enabling BPDU tunnel for a port, make sure GVRP is not enabled on the port.

l For an Ethernet port, as the BPDU tunnel feature is incompatible with NTDP, the two features cannot be enabled at the same time. Before enabling BPDU tunnel for a port, make sure NTDP is not enabled on the port (you can use the undo ntdp enable command to disable NTDP). For information about NTDP, refer to the Cluster part in this manual.