Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Operation Manual(V1.01)
- 00-1Cover
- 00-2Overview
- 01-Login Configuration
- 02-VLAN Configuration
- 03-IP Addressing and IP Performance Configuration
- 04-QinQ-BPDU TUNNEL Configuration
- 05-Port Correlation Configuration
- 06-Link Aggregation Configuration
- 07-MAC Address Table Management Configuration
- 08-Port Security Configuration
- 09-MSTP Configuration
- 10-IPv6 Configuration
- 11-IP Routing Overview Configuration
- 12-IPv4 Routing Configuration
- 13-IPv6 Routing Configuration
- 14-Multicast Configuration
- 15-802.1x-HABP-MAC Authentication Configuration
- 16-AAA-RADIUS-HWTACACS Configuration
- 17-ARP Configuration
- 18-DHCP Configuration
- 19-ACL Configuration
- 20-QoS Configuration
- 21-Port Mirroring Configuration
- 22-UDP Helper Configuration
- 23-Cluster Management Configuration
- 24-SNMP-RMON Configuration
- 25-NTP Configuration
- 26-DNS Configuration
- 27-File System Management Configuration
- 28-Information Center Configuration
- 29-System Maintaining and Debugging Configuration
- 30-NQA Configuration
- 31-SSH Configuration
- 32-Track Configuration
- 33-PoE Configuration
- 34-SSL-HTTPS Configuration
- 35-PKI Configuration
- 36-Stack Management Configuration
- 37-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-QinQ-BPDU TUNNEL Configuration | 266 KB |
Table of Contents
1.1.3 Modification of TPID Value of QinQ Frames
1.3 Configuring Selective QinQ
1.4 Configuring the TPID Value to Be Carried in VLAN Tags
1.5 QinQ Configuration Example
Chapter 2 BPDU Tunneling Configuration
2.1 Introduction to BPDU Tunneling
2.1.2 How BPDU Tunneling Works
2.2 Configuring BPDU Isolation
2.3 Configuring BPDU Transparent Transmission
2.4 Configuring Destination Multicast MAC Address for BPDU Tunnel Frames
2.5 BPDU Tunneling Configuration Example
Chapter 1 QinQ Configuration
When configuring QinQ, go to these sections for information you are interested in:
l Configuring the TPID Value to Be Carried in VLAN Tags
1.1 Introduction to QinQ
In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a switch can support a maximum of 4,094 VLANs. In actual applications, however, a large number of VLANs are required to isolate users, especially in metropolitan area networks (MANs), and 4,094 VLANs are far from satisfying such requirements.
1.1.1 Understanding QinQ
The port QinQ feature is a flexible, easy-to-implement Layer 2 VPN technique, which enables the access point to encapsulate an outer VLAN tag in Ethernet frames from customer networks (private networks), so that the Ethernet frames will travel across the service provider’s backbone network (public network) with double VLAN tags. The inner VLAN tag is the customer network VLAN tag while the outer one is the VLAN tag assigned by the service provider to the customer. In the public network, frames are forwarded based on the outer VLAN tag only, with the source MAC address learned as a MAC address table entry for the VLAN indicated by the outer tag, while the customer network VLAN tag is transmitted as part of the data in the frames.
Figure 1-1 shows the structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature enables a device to support up to 4,094 x 4,094 VLANs to satisfy the requirement for the amount of VLANs in the MAN.
Figure 1-1 Single-tagged frame structure vs. double-tagged Ethernet frame structure
Advantages of QinQ:
l Addresses the shortage of public VLAN ID resource.
l Enables customers to plan their own VLAN IDs, without running into conflicts with public network VLAN IDs.
l Provides an easy-to-do Layer 2 VPN solution for small-sized MANs or intranets.
& Note:
The QinQ feature requires configurations only on the service provider network, and not on the customer network.
1.1.2 Implementations of QinQ
There are two types of QinQ implementations: basic QinQ and selective QinQ.
1) Basic QinQ
Basic QinQ is a port-based feature, which is implemented through VLAN VPN.
With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the switch will tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged. If the received frame is already tagged, this frame becomes a double-tagged frame; if it is an untagged frame, it is tagged with the port’s default VLAN tag.
2) Selective QinQ
Selective QinQ is a more flexible, VLAN-based implementation of QinQ. In addition to all the functions of basic QinQ, selective QinQ can tag the frame with different outer VLAN tags based on different inner VLAN IDs.
& Note:
For an S5500-SI switch with both basic QinQ function and selective QinQ function enabled, packets received are processed according to the settings of selective QinQ first. Those that do not match selective QinQ settings are tagged with outer VLAN tags according to the basic QinQ settings.
1.1.3 Modification of TPID Value of QinQ Frames
A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100.
Figure 1-2 shows the 802.1Q-defined tag structure of an Ethernet frame.
Figure 1-2 VLAN Tag structure of an Ethernet frame
Normally, a frame with the TPID field being 0x8100 is regarded carrying a VLAN tag with it and is processed in the preset way when it reaches a switch. Those with their TPID not being 0x8100 are regarded carrying no VLAN tag.
After you configure the TPID value to be adjustable, the switch replaces the TPID value in the outer VLAN tag of a received frame with the customer-defined value before forwarding the frame, so that the frame, when arriving at the public network, is of specific protocol type. This enables a switch to communicate with devices of other vendors.
The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag. To avoid problems in packet forwarding and handling in the network, you cannot set the TPID value to any of the values in the table below.
Table 1-1 Reserved protocol type values
|
Protocol type |
Value |
|
ARP |
0x0806 |
|
PUP |
0x0200 |
|
RARP |
0x8035 |
|
IP |
0x0800 |
|
IPv6 |
0x86DD |
|
PPPoE |
0x8863/0x8864 |
|
MPLS |
0x8847/0x8848 |
|
IPX/SPX |
0x8137 |
|
IS-IS |
0x8000 |
|
LACP |
0x8809 |
|
802.1x |
0x888E |
|
Cluster |
0x88A7 |
|
Reserved |
0xFFFD/0xFFFE/0xFFFF |
1.2 Configuring Basic QinQ
Follow these steps to configure basic QinQ:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Required Use either command. Configurations made in Ethernet port view will take effect on the current port only; configuration made in port group view will take effect on all ports in the port group. |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enable QinQ on the port(s) |
qinq enable |
Required Disabled by default. |
|
1.3 Configuring Selective QinQ
The outer VLAN tag added to a frame by the basic QinQ feature is the VLAN tag corresponding to the port’s default VLAN ID, while the selective QinQ feature allows adding different outer VLAN tags based on different inner VLAN tags.
With selective QinQ configured on a port, the device attaches different outer VLAN tags based on the inner VLAN tags; frames with a VLAN ID out of the range specified in the raw-vlan-id inbound command are attached the port’s default VLAN tag as the outer tag.
Follow these steps to configure selective QinQ:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Required Use either command. Configurations made in Ethernet port view will take effect on the current port only; configurations made in port group view will take effect on all ports in the port group. |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enter QinQ view and configure the outer VLAN tag for the port to add |
qinq vid vlan-id |
Required |
|
|
Configure inner VLAN tags corresponding to the outer VLAN tags |
raw-vlan-id inbound { all | vlan-id-list } |
Required |
|
Caution:
l An inner VLAN tag corresponds to only one outer VLAN tag. If you want to change an outer VLAN tag, you must delete the old outer VLAN tag configuration and configure a new outer VLAN tag.
l You can configure selective QinQ and basic QinQ on the same port. The switch uses the basic QinQ function to attach the port’s default VLAN tag as the outer tag to frames that do not match the selective QinQ mapping rule.
1.4 Configuring the TPID Value to Be Carried in VLAN Tags
You can configure the TPID value to be carried in a VLAN tag TPID globally (configuration will take effect on all ports of the device).
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the TPID value to be carried in VLAN tags |
qinq ethernet-type hex-value |
Optional Both 0x8100 by default |
1.5 QinQ Configuration Example
I. Network requirements
l Provider A and Provider B are service provider network access devices.
l Customer A, Customer B and Customer C are customer network access devices.
l Provider A and Provider B are interconnected through a configured trunk port. Provider A belongs to VLAN 1000 of the service provider network, and Provider B belongs to VLAN 2000 of the service provider network.
l Third-party devices are deployed between Provider A and Provider B, with a TPID value of 0x8200.
After configuration, the network should satisfy the following requirement:
l Frames of VLAN 10 of Customer A and frames of VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider network;
l Frames of VLAN 20 of Customer A and frames of VLAN 20 of Customer C can be forwarded to each other through VLAN 2000 of the provider network.
II. Network diagram
Figure 1-3 Network diagram for QinQ configuration
III. Configuration procedure
& Note:
With this configuration, the user must allow the QinQ packets to pass between the devices of the service providers.
1) Configuration on Provider A
# Enter system view.
<ProviderA> system-view
l Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a Hybrid port that permits frames of VLAN 1000 and VLAN 2000 to pass, and configure the port to remove the outer tag of the fames when sending them out.
[ProviderA] interface GigabitEthernet 1/0/1
[ProviderA-GigabitEthernet1/0/1] port link-type hybrid
[ProviderA-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 untagged
# Configure the port to tag frames from VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/1] qinq vid 1000
[ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10
[ProviderA-GigabitEthernet1/0/1-vid-1000] quit
# Configure the port to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderA-GigabitEthernet1/0/1] qinq vid 2000
[ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20
[ProviderA-GigabitEthernet1/0/1-vid-2000] quit
[ProviderA-GigabitEthernet1/0/1] quit
l Configuration on GigabitEthernet 1/0/2
# Configure VLAN 1000 as the default VLAN of the port.
[ProviderA] interface GigabitEthernet 1/0/2
[ProviderA-GigabitEthernet1/0/2] port access vlan 1000
# Enable basic QinQ so that the port tags frames from VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/2] qinq enable
[ProviderA-GigabitEthernet1/0/2] quit
l Configuration on GigabitEthernet 1/0/3.
# Configure GigabitEthernet 1/0/3 as a trunk port, and permit frames of VLAN 1000 and VLAN 2000 to pass.
[ProviderA] interface GigabitEthernet 1/0/3
[ProviderA-GigabitEthernet1/0/3] port link-type trunk
[ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 1000 2000
# To enable interoperability with the third-party devices in the public network, set the TPID value to be carried in VLAN Tags to 0x8200.
[ProviderA-GigabitEthernet1/0/3] quit
[ProviderA] qinq ethernet-type 8200
2) Configuration on Provider B
l Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a trunk port, and permit frames of VLAN 1000 and VLAN 2000.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet 1/0/1
[ProviderB-GigabitEthernet1/0/1] port link-type trunk
[ProviderB-GigabitEthernet1/0/1] port trunk permit vlan 1000 2000
# To enable interoperability with the third-party devices in the public network, set the TPID value to be carried in VLAN Tags to 0x8200.
[ProviderB-GigabitEthernet1/0/1] quit
[ProviderB] qinq ethernet-type 8200
l Configuration on GigabitEthernet 1/0/2
# Configure VLAN 2000 as the default VLAN of the port.
[ProviderB] interface GigabitEthernet 1/0/2
[ProviderB-GigabitEthernet1/0/2] port access vlan 2000
# Enable basic QinQ so as to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderB-GigabitEthernet1/0/2] qinq enable
3) Configuration on devices on the public network
As third-party devices are deployed between Provider A and Provider B, what we discuss here is only the basic configuration that should be made on the devices. Configure that device connecting with GigabitEthernet 1/0/3 of Provider A and the device connecting with GigabitEthernet 1/0/1 of Provider B so that their corresponding ports send tagged frames of VLAN 1000 and VLAN 2000. The configuration steps are omitted here.
Chapter 2 BPDU Tunneling Configuration
When configuring BPDU tunneling, go to these sections for information you are interested in:
l Introduction to BPDU Tunneling
l Configuring BPDU Transparent Transmission
l Configuring Destination Multicast MAC Address for BPDU Tunnel Frames
l BPDU Tunneling Configuration Example
2.1 Introduction to BPDU Tunneling
2.1.1 Why BPDU Tunneling
To avoid loops in your network, you can enable the spanning tree protocol (STP) on your device. However, STP gets aware of the topological structure of a network by means of bridge protocol data units (BPDUs) exchanged between different devices and the BPDUs are Layer 2 multicast packets, which can be received and processed by all STP-enabled devices on the network. This prevents each network from correctly calculating its spanning tree. As a result, when redundant links exist in a network, data loops will unavoidably occur.
By allowing each network to have its own spanning tree while running STP, BPDU tunneling can resolve this problem.
l BPDU tunneling can isolate BPDUs of different customer networks, so that one network is not affected by others while calculating the topological structure.
l BPDU tunneling enables BPDUs of the same customer network to be broadcast in a specific VLAN in the provider network, so that the geographically dispersed customer networks of the same customer can implement consistent spanning tree calculation across the provider network.
2.1.2 How BPDU Tunneling Works
The BPDU tunneling implements the following two functions:
l BPDU isolation
l BPDU transparent transmission
The work process of IGMP is as follows:
I. BPDU isolation
When a port receives BPDUs of other networks, the port will discard the BPDUs, so that they will not take part in spanning tree calculation. Refer to Configuring BPDU Isolation.
II. BPDU transparent transmission
As shown in Figure 2-1, the upper part is the service provider network, and the lower part represents the customer networks. The customer networks include network A and network B. Enabling the BPDU tunneling function on the BPDU input/output devices across the service provider network allows BPDUs of the customer networks to be transparently transmitted in the service provider network, and allows each customer network to implement independent spanning tree calculation, without affecting each other. Refer to Configuring BPDU Transparent Transmission.
Figure 2-1 Network hierarchy of BPDU tunneling
l At the BPDU input side, the device changes the destination MAC address of a BPDU from a customer network from 0x0180-C200-0000 to a special multicast MAC address, 0x010F-E200-0003 by default. In the service provider’s network, the modified BPDUs are forwarded as data packets in the user VLAN.
l At the packet output side, the device recognizes the BPDU with the destination MAC address of 0x010F-E200-0003 and restores its original destination MAC address 0x0180-C200-0000. Then, the device removes the outer tag, and sends the BPDU to the destination customer network.
& Note:
Make sure, through configuration, that the VLAN tag of the BPDU is neither changed nor removed during its transparent transmission in the service provider network; otherwise, the system will fail to transparently transmit the customer network BPDU correctly.
2.2 Configuring BPDU Isolation
Perform the following tasks to configure BPDU isolation:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable BPDU tunneling globally |
bpdu-tunnel dot1q enable |
Optional Enabled by default |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Required Use either command. Configurations made in Ethernet port view will take effect on the current port only; configurations made in port group view will take effect on all ports in the port group. |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enable BPDU tunneling for the port(s) |
bpdu-tunnel dot1q enable |
Required Disabled by default |
|
& Note:
l BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect.
l The BPDU tunneling feature is incompatible with the GVRP feature, so these two features cannot be enabled at the same time. For introduction to GVRP, refer to VLAN Configuration.
l The BPDU tunneling feature is incompatible with the NTDP feature, so these two features cannot be enabled at the same time. If you want to enable BPDU tunneling on a port, use the undo ntdp enable command to disable NTDP first. For introduction to NTDP, refer to Cluster Management Configuration.
2.3 Configuring BPDU Transparent Transmission
Perform the following tasks to configure BPDU transparent transmission:
|
To do... |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable BPDU tunneling globally |
bpdu-tunnel dot1q enable |
Optional Enabled by default |
|
|
Enter Ethernet port view or port group view |
Enter Ethernet port view |
interface interface-type interface-number |
Required Use either command. Configurations made in Ethernet port view will take effect on the current port only; configurations made in port group view will take effect on all ports in the port group. |
|
Enter port group view |
port-group { manual port-group-name | aggregation agg-id } |
||
|
Enable BPDU tunneling on the port(s) |
bpdu-tunnel dot1q enable |
Required Disabled by default |
|
|
Disable STP on the port(s) |
stp disable |
Required Enabled by default |
|
|
Enable BPDU tunneling for STP on the port(s) |
bpdu-tunnel dot1q stp |
Required Disabled by default |
|
& Note:
l BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect.
l The BPDU tunneling feature is incompatible with the GVRP feature, so these two features cannot be enabled at the same time. For introduction to GVRP, refer to VLAN Configuration.
l The BPDU tunneling feature is incompatible with the NTDP feature, so these two features cannot be enabled at the same time. If you want to enable BPDU tunneling on a port, use the undo ntdp enable command to disable NTDP first. For introduction to NTDP, refer to Cluster Management Configuration.
2.4 Configuring Destination Multicast MAC Address for BPDU Tunnel Frames
By default, the destination multicast MAC address for BPDU Tunnel frames is 0x010F-E200-0003. You can modify it to 0x0100-0CCD-CDD0, 0x0100-0CCD-CDD1 or 0x0100-0CCD-CDD2 through the following configuration.
Follow these steps to configure destination multicast MAC address for BPDU tunnel frames:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the destination multicast MAC address for BPDU Tunnel frames |
bpdu-tunnel tunnel-dmac mac-address |
Optional 0x010F-E200-0003 by default. |
2.5 BPDU Tunneling Configuration Example
I. Network requirements
l Customer A, Customer B, Customer C, and Customer D are customer network access devices.
l Provider A, Provider B, and Provider C are service provider network access devices, which are interconnected through configured trunk ports.
The configuration is required to satisfy the following requirements:
l Geographically dispersed customer network devices Customer A, Customer C and Customer D can implement consistent spanning tree calculation across the service provider network.
l BPDU packets from Customer B are isolated so it does not take part in the spanning tree calculation.
II. Network diagram
Figure 2-2 Network diagram for BPDU tunneling configuration
III. Configuration procedure
1) Configuration on Provider A
# Configure BPDU transparent transmission on GigabitEthernet 1/0/1.
<ProviderA> system-view
[ProviderA] interface GigabitEthernet 1/0/1
[ProviderA-GigabitEthernet1/0/1] port access vlan 2
[ProviderA-GigabitEthernet1/0/1] stp disable
[ProviderA-GigabitEthernet1/0/1] undo ntdp enable
[ProviderA-GigabitEthernet1/0/1] bpdu-tunnel dot1q enable
[ProviderA-GigabitEthernet1/0/1] bpdu-tunnel dot1q stp
2) Configuration on Provider B
# Configure BPDU isolation on GigabitEthernet 1/0/2.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet 1/0/2
[ProviderB-GigabitEthernet1/0/2] port access vlan 4
[ProviderB-GigabitEthernet1/0/2] undo ntdp enable
[ProviderB-GigabitEthernet1/0/2] bpdu-tunnel dot1q enable
3) Configuration on Provider C
# Configure BPDU transparent transmission on GigabitEthernet 1/0/3.
<ProviderC> system-view
[ProviderC] interface GigabitEthernet 1/0/3
[ProviderC-GigabitEthernet1/0/3] port access vlan 2
[ProviderC-GigabitEthernet1/0/3] stp disable
[ProviderC-GigabitEthernet1/0/3] undo ntdp enable
[ProviderC-GigabitEthernet1/0/3] bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/3] bpdu-tunnel dot1q stp
# Configure BPDU transparent transmission on GigabitEthernet 1/0/4.
[ProviderC-GigabitEthernet1/0/3] quit
[ProviderC] interface GigabitEthernet 1/0/4
[ProviderC-GigabitEthernet1/0/4] port access vlan 2
[ProviderC-GigabitEthernet1/0/4] stp disable
[ProviderC-GigabitEthernet1/0/4] undo ntdp enable
[ProviderC-GigabitEthernet1/0/4] bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/4] bpdu-tunnel dot1q stp
& Note:
When STP works stably on the customer network, if Customer A acts as the root bridge, the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A. Since BPDU isolation is enabled on Customer B, the port that connects Customer B to Provider B cannot receive BPDUs from Customer A.
