H3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)
31-VLAN VPN Operation
Title Size Download
31-VLAN VPN Operation 291.73 KB

Chapter 1  VLAN-VPN Configuration

1.1  VLAN-VPN Overview

1.1.1  Introduction to VLAN-VPN

The VLAN-VPN function enables packets to be transmitted across the operators’ backbone networks with VLAN tags of private networks encapsulated in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks which are encapsulated in the VLAN tags of public networks are shielded.

Figure 1-1 describes the structure of the packets with single-layer VLAN tags.

Figure 1-1 Structure of packets with single-layer VLAN tags

Figure 1-2 describes the structure of the packets with nested VLAN tags.

Figure 1-2 Structure of packets with double-layer VLAN tags

Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features:

l           It provides Layer 2 VPN tunnels that are simpler.

l           VLAN-VPN can be implemented without the support of signaling protocols. You can enable VLAN-VPN by static configuration.

The VLAN-VPN function provides you with the following benefits:

l           Saves public network VLAN ID resource.

l           You can have VLAN IDs of your own, which is independent of public network VLAN IDs.

l           It allows for simple Layer 2 VPN solutions for small-sized MANs or intranets.

1.1.2  Implementation of VLAN-VPN

VLAN-VPN can be implemented by enabling the VLAN-VPN function on ports.

With the VLAN VPN function enabled, a received packet is tagged with the default VLAN tag of the receiving port no matter whether or not the packet already carries a VLAN tag. If the packet already carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise, the packet becomes a packet carrying the default VLAN tag of the port.

1.1.3  Adjusting the TPID Values of VLAN-VPN Packets

Tag protocol identifier (TPID) is a field of the VLAN tag. IEEE 802.1Q specifies the value of TPID to be 0x8100.

Figure 1-3 illustrates the structure of the Tag packet of an Ethernet frame defined by IEEE 802.1Q.

Figure 1-3 The structure of the Tag packet of an Ethernet frame

H3C S3100-52P switch adopt the protocol default TPID value (0x8100). Other vendors use other TPID values (such as 0x9100 or 0x9200) in the outer tags of VLAN-VPN packets.

To be compatible with devices coming from other vendors, S3100-52P switch can adjust the TPID values of VLAN-VPN packets based on ports. You can configure the TPID value of a port connecting to the public network side by yourself. When a packet is forwarded through the port, the port replaces the TPID value in the outer VLAN tag of this packet with the user-defined value. Thus, the VLAN-VPN packets sent to the public network can be recognized by devices of other vendors.

As the position of the TPID field in an Ethernet packet is the same as that of the protocol type field in a packet without VLAN Tag, to avoid confusion in the process of receiving/forwarding a packet, the TPID value cannot be any of the protocol type value listed in Table 1-1

Table 1-1 Commonly used protocol type values in Ethernet frames

Protocol type

Value

ARP

0x0806

IP

0x0800

MPLS

0x8847/0x8848

IPX

0x8137

IS-IS

0x8000

LACP

0x8809

802.1x

0x888E

 

1.2  VLAN-VPN Configuration

1.2.1  Configuration Prerequisites

l           GARP VLAN registration protocol (GVRP), neighbor topology discovery protocol (NTDP), spanning tree protocol (STP), 802.1x, and centralized MAC address authentication function are disabled on the port.

l           The port is an access port.

 

  Caution:

l      The VLAN-VPN function is unavailable to a port if any of the protocols among GVRP,  NTDP, STP, 802.1x, and centralized MAC address authentication function is enabled on the port.

l      By default, STP and NTDP are enabled on a device. You can disable these two protocols using the stp disable and undo ntdp enable commands.

 

1.2.2  Configuration Procedure

Table 1-2 Configure the VLAN-VPN function for a port

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable the VLAN-VPN function on the port

vlan-vpn enable

Required

By default, the VLAN-VPN function is disabled on a port.

Display VLAN VPN configuration information about all the ports

display port vlan-vpn

This command can be executed in any view.

 

&  Note:

After you enable the VLAN-VPN function for a port, you cannot change the port to be a trunk port or hybrid port, nor can you enable GVRP,  NTDP, or STP, 802.1x, and centralized MAC address authentication function for the port.

l      Error message appears if you try to change the port to be a trunk port or hybrid port or enable GVRP, NTDP, STP, 802.1x, or centralized MAC address authentication function for the port by executing corresponding commands.

l      If you use the copy configuration command to duplicate the configuration of a port to a port enabled with the VLAN-VPN function, the configuration concerning port type (that is, access, trunk, or hybrid), GVRP, NTDP, STP, 802.1x, and centralized MAC address authentication function is not duplicated.

 

1.3  Inner VLAN Tag Priority Replication Configuration

You can configure to replicate the tag priority of the inner VLAN tag of a VLAN-VPN packet to the outer VLAN tag to keep the original tag priority after the packet is inserted an outer VLAN tag.

1.3.1  Configuration Prerequisites

The VLAN-VPN function is enabled.

1.3.2  Configuration Procedure

Table 1-3 Replicate the tag priority of the inner VLAN tag

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable the inner VLAN Tag priority replication function

vlan-vpn inner-cos-trust enable

Required

By default, the inner VLAN tag priority replication function is disabled. And the priority of an outer VLAN tag is that of the default priority of the current port.

Display the VLAN-VPN configuration of about all ports

display port vlan-vpn

This command can be executed in any view.

 

If you have configured the port priority, (refer to the QACL part of H3C S3100-52P Ethernet Switch  Operation Manual for more), after you configure to replicate the tag priority of the inner VLAN tag of a VLAN-VPN packet, the switch will prompt that the port priority configuration on the current port is invalid.

 

1.4  TPID Adjusting Configuration

1.4.1  Configuration Prerequisites

The TPID value of the peer end of the public network is available.

1.4.2  Configuration Procedure

Table 1-4 Adjust TPID values for VLAN-VPN packets

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Set a TPID value for the port

vlan-vpn tpid value

Required

Do not set the TPID value to any of the protocol type values listed in Table 1-1.

Display VLAN-VPN configuration information about all ports

display port vlan-vpn

You can execute the display command in any view.

 

1.5  VLAN-VPN Configuration Example

I. Network requirements

l           Switch A and Switch C are S3100-52P switch. Switch B is a switch coming from another manufacturer, which uses the TPID value of 0x9100.

l           Two user networks are connected to the Ethernet1/0/1 ports of Switch A and Switch C respectively.

l           Switch B only permits packets of VLAN 10.

l           It is required that packets of the VLANs other than VLAN 10 can be exchanged between the user networks connected to Switch A and Switch C.

II. Network diagram

Figure 1-4 Network diagram for VLAN-VPN configuration

III. Configuration Procedure

1)         Configure Switch A and Switch C.

As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted.

# Set the TPID value of Ethernet1/0/2 port of Switch A to 0x9100, and add the port to VLAN 10.

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

[SwitchA] interface Ethernet1/0/2

[SwitchA-Ethernet1/0/2] vlan-vpn tpid 9100

[SwitchA-Ethernet1/0/2] port link-type trunk

[SwitchA-Ethernet1/0/2] port trunk permit vlan 10

# Add Ethernet1/0/1 port of Switch A to VLAN 10 and enable the VLAN-VPN function for the port.

[SwitchA] interface Ethernet1/0/1

[SwitchA-Ethernet1/0/1] port access vlan 10

[SwitchA-Ethernet1/0/1] vlan-vpn enable

[SwitchA-Ethernet1/0/1] quit

2)         Configure Switch B

Because Switch B comes from another manufacturer, the commands involved may differ from those for S3100-52P switch. So only the operations are listed, as shown below:

l           Configure Ethernet3/1/1 and Ethernet3/1/2 ports of Switch B to be trunk ports.

l           Add the two ports to VLAN 10.

 

&  Note:

The following describes how a packet is forwarded from Switch A to Switch C.

l      As the Ethernet1/0/1 port of Switch A is a VLAN-VPN port, when a packet from the user’s network side reaches Ethernet1/0/1 port of Switch A, it is tagged with the default VLAN tag of the port (VLAN 10) and is then forwarded to Ethernet1/0/2 port.

l      Because Ethernet1/0/2 port is configured with VLAN-VPN TPID, Switch A changes the TPID value in the outer VLAN Tag of the packet to 0x9100 and forwards the packet to the public network.

l      The packet reaches Ethernet3/1/2 port of Switch B in the public network. Switch B forwards the packet to Ethernet3/1/1, which belongs to VLAN 10.

l      The packet is forwarded from Ethernet3/1/1 port of Switch B to the network on the other side and enters Ethernet1/0/2 port of Switch C. Then Switch C forwards the packet to its Ethernet1/0/1 port, which also belongs to VLAN 10. As Ethernet1/0/1 port is an access port, Switch C strips off the outer VLAN tag of the packet and restores the original packet.

l      It is the same case when a packet travels from Switch C to Switch A.

 

After the configuration, the networks connecting Switch A and Switch C can receive data packets from each other.

 


Chapter 2  BPDU Tunnel Configuration

2.1  BPDU Tunnel Overview

2.1.1  Introduction to the BPDU Tunnel Function

In MAN networking solutions, the requirements may arise that the branches of an enterprise be interconnected through the operator’s network. This can be achieved through VPN (virtual private network), which can integrate geographically dispersed networks to form a logical LAN. The tunnel function is required when you implement VPN. It enables packets of private networks to travel through operator’s network and reach another private network securely. To make networks of this kind essentially comparable with an actual LAN, Layer 2 protocol packets used to maintain the network are also required to travel across the tunnels.

2.1.2  BPDU Tunnel Fundamental

I. Layer 2 packet identification

Different from the processing of data packets, a Layer 2 protocol packet is classified first when it reaches a network device. A Layer 2 protocol packet conforming with IEEE standards carries a special destination MAC address and contains a type field. Some proprietary protocols adopt the same packet structure, where a private MAC address is used to identify the corresponding proprietary protocol, and the type field is used to identify the specific protocol type.

II. Transmitting BPDU packets transparently

As shown in Figure 2-1, the network on the top is the operator’s network, and the one on the bottom is a user network. The operator’s network contains devices that receive/transmit packets. The user network contains Network A and Network B. You can make the BPDU packets to be transmitted in the operator’s network transparently by enabling the BPDU Tunnel function on the devices with user networks connected to in the operator’s network.

l           When a BPDU packet coming from a user network reaches a device in the operator’s network, the device changes the destination MAC address carried in the packet from a protocol-specific MAC address to a normal MAC address, which can be identified by both the local device and the peer device. In such a way, the BPDU packet is converted to a normal data packet and is forwarded in the operator’s network.

l           Before the device in the operator’s network forwards the packet to the destination user network, the device restores the original protocol-specific MAC address. This ensures the data portion of the packet is consistent with that before the packet enters the tunnel. So, a tunnel here acts as a local link for user devices. It enables Layer 2 protocol packets to travel across a logical LAN.

Figure 2-1 BPDU Tunnel network hierarchy

Figure 2-2 and Figure 2-3 show the structure of a BPDU packet before and after it enter a BPDU tunnel.

Figure 2-2 The structure of a BPDU packet before it enters a BPDU tunnel

Figure 2-3 The structure of a BPDU packet after it enters a BPDU tunnel

2.2  BPDU Tunnel Configuration

You can establish BPDU tunnels between S3100-52P Ethernet switch for the packets of the following protocols:

l           ALCP (link aggregation control protocol)

l           NDP (neighbor discovery protocol)

l           Proprietary protocols, including CDP and VTP

2.2.1  Configuration Prerequisites

One or more protocols among LACP, NDP, CDP, and VTP operate properly on the devices.

2.2.2  Configuring BPDU Tunnel

Table 2-1 Configure BPDU Tunnel

Operation

Command

Description

Enter system view

system-view

Set the port to be a BPDU Tunnel uplink port

Enable the function in system view

bpdu-tunnel uplink interface-list

You can enable the BPDU Tunnel in system view or in Ethernet view.

By default, NDP is enabled globally.

Enable the function in Ethernet port view

Enter Ethernet port view

interface interface-type interface-number

Enable the BPDU Tunnel function

bpdu-tunnel uplink

Return to system view

quit

Enter Ethernet port view

interface interface-type interface-number

-

Enable the BPDU Tunnel function for the packets of a specific protocol

bpdu-tunnel { lacp | ndp | cdp | vtp }

Required

By default, the BPDU Tunnel function is disabled on a port.

 

2.3  BPDU Tunnel Configuration Example

I. Network requirements

l           Custimer1 and Customer2 are access devices operating in a user network.

l           Provider1 and Provider2 are access devices operating in the operator’s network. They are interconnected through their trunk ports, as shown in Figure 2-4.

l           Enable the BPDU Tunnel function for NDP packets on the Ethernet1/0/1 and Ethernet1/0/4 port shown in the Figure 2-4.Set the port Ethernet1/0/2 and Ethernet1/0/3 to be BPDU Tunnel uplink ports.

II. Network diagram

Figure 2-4 Network diagram for BPDU Tunnel configuration

III. Configuration procedure

1)         Configure Provide1.

# Enable the BPDU Tunnel fuction for NDP packets on port Ethernet1/0/1.

<H3C> system-view

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] undo ndp enable

[H3C-Ethernet1/0/1] bpdu-tunnel ndp

# Set the port Ethernet 1/0/2 to be a BPDU Tunnel uplink port.

[H3C-Ethernet1/0/1] quit

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] bpdu-tunnel uplink

2)         Configure Provider2.

# Set the port Ethernet 1/0/3 to be a BPDU Tunnel uplink port.

<H3C> system-view

[H3C] interface Ethernet 1/0/3

[H3C-Ethernet1/0/3] bpdu-tunnel uplink

# Enable the BPDU Tunnel function for NDP packets on port Ethernet1/0/4

[H3C-Ethernet1/0/3] quit

[H3C] interface Ethernet 1/0/4

[H3C-Ethernet1/0/4] undo ndp enable

[H3C-Ethernet1/0/4] bpdu-tunnel ndp