qinq configuration.pdf

8/10/2019 QinQ Configuration.pdf

1/76

1/10/2014 QinQ Configuration

http://localhost:7890/printtopics.html?time=Wed%20Oct%2001%202014%2017:42:20%20GMT-0300%20(Pacific%20SA%20Daylight%20Time) 1/76

QinQ Configuration

Contents

1 QinQ Configuration

1.1 Introduction to QinQ1.2 QinQ Principles1.2.1 Basic Principles1.2.2 Basic QinQ1.2.3 Selective QinQ1.2.4 TPID1.3 Application Environment1.4 Configuration Task Summary1.5 Configuration Notes1.6 Configuring QinQ1.6.1 Configuring QinQ Tunneling1.6.1.1 Configuring Basic QinQ1.6.1.2 Configuring Selective QinQ1.6.2 Configuring Termination Sub-interface to Access an L2VPN Network 1.6.2.1 Configuring a Sub-interface for Dot1q VLAN Tag Termination1.6.2.2 Configuring a Sub-interface for QinQ VLAN Tag Termination1.6.2.3 Configuring the L2VPN1.6.2.4 Checking the Configuration1.6.3 Configuring Termination Sub-interface to Access an L3VPN Network 1.6.3.1 Configuring a Sub-interface for Dot1q VLAN Tag Termination1.6.3.2 Configuring a Sub-interface for QinQ VLAN Tag Termination

1.6.3.3 Configuring the L3VPN1.6.3.4 Checking the Configuration1.6.4 Configuring the TPID Value for an Outer VLAN Tag1.7 Configuration Examples1.7.1 Example for Configuring basic QinQ1.7.2 Example for Configuring Selective QinQ1.7.3 Example for Configuring VLL Access Through Dot1q Sub-interfaces1.7.4 Example for Configuring a QinQ Sub-interface to Access a VLL Network 1.7.5 Example for Configuring a Sub-interface for Dot1q VLAN Tag Termination to Accessan L3VPN Network 1.7.6 Example for Configuring a Sub-interface for QinQ VLAN Tag Termination to Access an

L3VPN Network 1.8 References

1 QinQ Configuration


2/76



This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),and provides configuration examples.

Context

NOTE:

Only the AR150, AR160, AR200 support QinQ.

Only the AR1200, AR2200, AR3200 support termination sub-interface access to the VPN.

Introduction to QinQThis section describes definition, purpose and benefit of QinQ.

QinQ PrinciplesThis section describes principles of QinQ.

Application EnvironmentThis section describes the applicable environment of QinQ.

Configuration Task Summary

Configuration NotesThis section describes QinQ configuration notes.

Configuring QinQThis section describes the QinQ configuration.

Configuration ExamplesThis section provides several configuration examples of QinQ.

ReferencesThis section describes references of QinQ.

Parent topic: Configuration Guide - Ethernet Switching

1.1 Introduction to QinQ

This section describes definition, purpose and benefit of QinQ.

Definition

802.1Q-in-802.1Q (QinQ) technology improves VLAN utilization by adding another 802.1Qtag to a frame with an 802.1Q tag. In this case, frames from private VLAN tags can betransparently transmitted on the public network. A frame transmitted on the backbone network has double 802.1Q tags (one for the public network and the other for the private network), thatis, 802.1Q-in-802.1Q (QinQ).

Purpose


3/76



As Ethernet is widely used on networks, 802.1Q VLANs are not enough to identify and isolatea large number of users on a network. The 12-bit VLAN tag field defined in IEEE 802.1Qidentifies a maximum of 4096 VLANs, which are insufficient for a large number of users onthe Ethernet network. QinQ technology is used to solve this problem.

QinQ technology encapsulates an 802.1Q tag to an 802.1Q packet. With this extra tag, thenumber of VLANs is increased to 4094 x 4094.

As Ethernet develops and requirements for precise management emerge, QinQ has more

applications. The inner tag indicates the user; the outer tag indicates the service. QinQ packetstraverse the public network with double tags, and the inner tag is transparently transmitted.Therefore, QinQ is also a simple and practical VPN technology, which is an extension toMulti-Protocol Label Switching (MPLS) VPN on the core network. QinQ can be used withMPLS VPN to form an end-to-end VPN solution.

Benefits

QinQ technology improves VLAN utilization by adding another 802.1Q VLAN tag to a framewith an 802.1Q VLAN tag. It brings the following advantages:

QinQ expands the VLAN space so that user isolation and identification are notlimited.

In a QinQ packet, the inner 802.1Q tag identifies a user, and the outer 802.1Q tagidentifies a service. The inner and outer tags facilitate service deployment.

More QinQ encapsulation and termination modes are used for fine-grained servicemanagement.

Parent topic: QinQ Configuration

1.2 QinQ Principles

This section describes principles of QinQ.

Basic Principles

Basic QinQ

Selective QinQ

TPID


1.2.1 Basic Principles


4/76



QinQ technology expands the VLAN space by adding another 802.1Q VLAN tag to a framewith an 802.1Q tag. As the metro Ethernet develops, more QinQ encapsulation andtermination modes are used for fine-grained service management.

Format of a QinQ Frame

A QinQ frame has a fixed format, that is, the 802.1Q tag with another 802.1Q tag. A QinQframe has four more bytes than an 802.1Q frame.

Figure 1 802.1Q encapsulation

QinQ Encapsulation

QinQ encapsulation adds another 802.1Q tag to a frame with an 802.1Q tag.

QinQ is classified into basic QinQ and selective QinQ depending on encapsulation data. BasicQinQ refers to interface-based QinQ, and selective QinQ includes VLAN ID-based QinQ and802.1p priority-based QinQ.

Port-based QinQ encapsulation

In port-based QinQ encapsulation, the device adds the same outer VLAN tag to allthe frames sent to a specified port. Port-based QinQ encapsulation, also called QinQtunneling, is not flexible and cannot distinguish services.

VLAN ID-based QinQ

VLAN ID-based QinQ determines whether to encapsulate the outer VLAN tag andthe type of the outer VLAN tag into different data flows.

Traffic can be classified based on VLAN ID ranges if a user uses different VLANIDs for different services. For example, PC users access the Internet through VLANs101 to 200, IPTV users through VLANs 201 to 300, and VoIPs through VLANs 301to 400. When receiving service data, the UPE adds the outer tag 100 to frames fromPCs, outer tag 300 to frames from IPTV users, and outer tag 500 to frames fromVoIPs.

802.1p priority-based QinQ

802.1p priority-based QinQ determines whether to encapsulate the outer VLAN tagand the type of the outer VLAN tag into data flows with different priorities.

For example, when different services of a user use different priorities, you can set updifferent data transmission channels for these services based on priorities so thatservices can be differentiated.


5/76



QinQ/Dot1q VLAN Tag Termination Sub-interface

In QinQ termination, a sub-interface identifies one tag or double tags of QinQ frames and thenremoves one tag or double tags or sends the frames.

QinQ termination is usually performed on sub-interfaces, called VLAN tag termination sub-interfaces.

Different termination modes are used in different situations when QinQ technology is appliedto the MPLS/IP core network.

A sub-interface that terminates a single tag in a frame is called a dot1q VLAN tagtermination sub-interface.

A sub-interface that terminates double tags in a frame is called a QinQ VLAN tagtermination sub-interface.

QinQ VLAN tag termination sub-interfaces have different functions in different scenariosrelated with the specific scenario. The following explains it in different scenarios.

Parent topic: QinQ Principles

1.2.2 Basic QinQ

Basic QinQ is implemented based on interfaces. Basic QinQ allows the device to add the outer tag to a packet received on an interface. If the received packet carries a VLAN tag, the deviceadds the outer VLAN tag to the packet. If the received packet does not carry any VLAN tag,the device adds the inner VLAN tag and then the outer VLAN tag.

As shown in Figure 1 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively.

Figure 1 Networking diagram of basic QinQ


6/76



Enterprise A has different services, so different VLANs are assigned. Basic QinQ isconfigured on the CE interface connected to the carrier network. The outer VLAN 20 is addedto the packet passing through the CE interface and removed after the packet reaches another

branch. Traffic between two branches is transparently transmitted on the public network sothat users using the same service in different branches of enterprise A can communicate andusers using different services are isolated.


1.2.3 Selective QinQ

Selective QinQ, also knonw as VLAN Stacking or QinQ Stacking, is performed based on portsand VLAN IDs. Besides basic QinQ functions, selective QinQ has the following functions:

VLAN ID-based selective QinQ: adds outer VLAN tags based on VLAN IDs.

802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities in inner VLAN tags.

Selective QinQ is an extension to basic QinQ and is more flexible. The difference is asfollows:

Basic QinQ: adds the same outer VLAN tag to all the frames entering a Layer 2 port.

Selective QinQ: adds different outer VLAN tags to the frames entering a Layer 2 port based on the inner VLAN tags.

As shown in Figure 1 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively.


7/76



Figure 1 Networking diagram of selective QinQ

Enterprise A has different services, so different VLANs are assigned. Data services aretransmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 toVLAN 50.

Selective QinQ is configured on the user-side interface of the CE to add outer VLAN 20 to packets with VLAN IDs 10 to 30, and outer VLAN 21 to packets with VLAN IDs 31 to 50,and the device is configured to increase the priority of voice packets. Traffic between two

branches can be transparently transmitted through the public network so that users using thesame service in different branches of enterprise A can communicate, users using differentservices are isolated, and voice services are transmitted preferentially.


1.2.4 TPIDTag Protocol Identifier (TPID), a field in a VLAN tag, specifies the protocol type of the tag.The TPID value defined in IEEE 802.1Q is 0x8100.

Figure 1 shows the Ethernet frame format defined in IEEE 802.1Q. The 802.1Q Tag fieldlocates between the Source Address (SA) and Length/Type fields. The device checks theTPID value in the received frame to determine whether the VLAN tag is the S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID value in theframe. For example, a frame carries VLAN tags with TPID values 0x9100 and 0x8100. If theTPID value of the S-VLAN tag is set to 0x9100 and that of the C-VLAN tag is 0x8200, the


8/76



device considers that the frame only carries the S-VLAN tag, but not the C-VLAN tag.

Figure 1 802.1Q encapsulation

Different carriers may use different TPID values in outer VLAN tags. You can set the sameTPID value to ensure compatibility among devices of different vendors. In this case, QinQframe sent to the public network carry the same TPID value with the carrier TPID value,ensuring interoperability between the device and the carrier device. To prevent packetforwarding and processing errors on the network, the TPID value can be none of values in

Table 1 .

Table 1 Description of protocol types and values

Protocol Type Value

ARP 0x0806

RARP 0x8035

IP 0x0800

IPv6 0x86DD

PPPoE 0x8863/0x8864

MPLS 0x8847/0x8848

IPX/SPX 0x8137

LACP 0x8809

802.1x 0x888E

HGMP 0x88A7

Reserved 0xFFFD/0xFFFE/0xFFFF


1.3 Application Environment


9/76



This section describes the applicable environment of QinQ.

Basic QinQ

As shown in Figure 1 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs areassigned. To save public VLAN IDs, it is required that traffic between two branches of enterprise A be transparently transmitted through the public network, users using the same

service in different branches of enterprise A be allowed to communicate, and users usingdifferent services be isolated. You can configure QinQ on the network-side interface of the CEto meet the preceding requirements.

Figure 1 Typical networking of basic QinQ

Selective QinQ

As shown in Figure 2 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs areassigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services aretransmitted in VLAN 31 to VLAN 50. To save public VLAN IDs, it is required that traffic

between two branches of enterprise A be transparently transmitted through the public network,users using the same service in different branches of enterprise A be allowed to communicate,users using different services be isolated, and voice services be transmitted preferentially. Youcan configure selective QinQ on the user-side interface of the CE to meet the precedingrequirements.

Figure 2 Typical networking of selective QinQ


10/76


11/76



L3VPN Network through PEs. User data packetssent by the CE to a PE containone or double tags. You need toconnect the sub-interfaces on thePE to an L3VPN to enable CEsto communicate with each other.

interface to Access an L3VPN Network

Configuring the TPID Value for an Outer VLAN Tag

To ensure that devices fromdifferent vendors cancommunicate with each other,set the TPID value of an outer VLAN tag.

Configuring the TPID Value for an Outer VLAN Tag


1.5 Configuration Notes

This section describes QinQ configuration notes.

When deploying QinQ on the router, pay attention to the following:

Before configuring QinQ on an interface, add the interface to a network bridge. If theinterface is deleted from the network bridge, the QinQ configuration is also deletedfrom the interface.

You can configure only one of QinQ, selective QinQ, and VLAN mapping on a sub-interface.


1.6 Configuring QinQ

This section describes the QinQ configuration.

Configuring QinQ TunnelingThis section describes how to configure QinQ tunneling, including basic QinQ andselective QinQ.

Configuring Termination Sub-interface to Access an L2VPN Network A CE accesses the ISP network through PEs. User data packets sent by the CE to a PEcontain one or double tags. You need to connect the sub-interfaces on the PE to a VPNnetwork to enable CEs to communicate with each other.

Configuring Termination Sub-interface to Access an L3VPN Network A CE accesses the ISP network through PEs. User data packets sent by the CE to a PE


12/76



contain one or double tags. You need to connect the sub-interfaces on the PE to anL3VPN to enable CEs to communicate with each other.

Configuring the TPID Value for an Outer VLAN TagTo ensure that devices from different vendors can communicate with each other, set theTPID value of an outer VLAN tag.


1.6.1 Configuring QinQ Tunneling

This section describes how to configure QinQ tunneling, including basic QinQ and selectiveQinQ.

Configuring Basic QinQ

Configuring Selective QinQ

Parent topic: Configuring QinQ

1.6.1.1 Configuring Basic QinQ

Background InformationDot1q tunnel isolates a carrier network from a user network and is widely used when usersconnect to a carrier network. When private networks connect to a carrier network through CEsand PEs, run the vlan dot1q-tunnel command on CE interfaces connected to PEs so that theCE interfaces add the outer VLAN tag allocated by the carrier to user packets. Thisimplementation saves VLAN IDs and allows user packets to be transparently transmitted onthe carrier network.

Procedure

1. Run:system-view

The system view is displayed.

2. Run:

bridge bridge-id

A bridge group is created and the bridge group view is displayed.

3. Run:

quit


13/76



Exit from the bridge group view.

4. Run:

interface { ethernet | gigabitethernet } interface-number . subinterface-nu mber

The Ethernet sub-interface view is displayed.

NOTE:

Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer 2mode and supports switching between Layer 2 and Layer 3 modes, run the undo portswitchcommand to switch the interface in Layer 3 mode before creating a sub-interface on the interface.

5. Run:

bridge bridge-id

The Ethernet sub-interface is added to the bridge group.

6. Run:

bridge vlan-transmit enable

The interface is enabled to transparently transmit VLAN IDs.

7. Run:

vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }

The VLAN allowed by the Ethernet sub-interface is configured.

NOTE:

VLANs allowed by all sub-interfaces of a main interface cannot overlap.

The vlan allow-pass default command can be executed only on a sub-interface among all sub-

interfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other QinQ or VLAN mapping entries on a sub-interface.

8. Run:

vlan dot1q-tunnel tunnel-vlan-id [ native vid native-vlan-id ]

The basic QinQ function is configured on a sub-interface.

The vlan dot1q-tunnel command can be only executed at one time on a sub-interface and the VLAN specified by tunnel-vlan-id must be allowed by the sub-interface.

Parent topic: Configuring QinQ Tunneling

1.6.1.2 Configuring Selective QinQ

Context

You can configure selective QinQ based on the VLAN ID or 802.1p priority.


14/76



VLAN ID-based selective QinQ

When private networks connect to a carrier network through CEs and PEs, run thevlan stacking command on CE interfaces connected to PEs so that the CE interfacesadd the outer VLAN tag allocated by the carrier to user packets. This implementationsaves VLAN IDs and allows user packets to be transparently transmitted on thecarrier network.

802.1p priority-based selective QinQ

An 802.1p priority indicates a packet priority. Generally, different services of a user use different priorities. A carrier can establish different data transmission networksfor different services based on 802.1p priorities so that services on the carrier network can be differentiated.

Procedure

Configuring VLAN ID-based selective QinQ

1. Run:

system-view


2. Run:

bridge bridge-id


3. Run:

quit


4. Run:

interface { ethernet | gigabitethernet } interface-number . subinterface-number


NOTE:

Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in

Layer 2 mode and supports switching between Layer 2 and Layer 3 modes, run the undoportswitch command to switch the interface in Layer 3 mode before creating a sub-interface on the interface.

5. Run:

bridge bridge-id


6. Run:



15/76




7. Run:

vlan stacking { default | vid low-ce-vid [ to high-ce-vid ] } pe-vid pe-vid [ remark-8021p 8021p-value2 ]

VLAN ID-based selective QinQ is configured.

NOTE:VLANs allowed by all sub-interfaces of a main interface cannot overlap.

The vlan stacking default command can be executed only on a sub-interface among allsub-interfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other QinQ entries on a sub-interface.

Configuring 802.1p priority-based selective QinQ

1. Run:

system-view


2. Run:

bridge bridge-id


3. Run:

quit


4. Run:

interface { ethernet | gigabitethernet } interface-number . subinterface-number


NOTE:

Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works inLayer 2 mode and supports switching between Layer 2 and Layer 3 modes, run the undoportswitch command to switch the interface in Layer 3 mode before creating a sub-

interface on the interface.

5. Run:

bridge bridge-id


6. Run:




16/76



7. Run:

vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }

The VLAN allowed by the Ethernet sub-interface is configured.

NOTE:

VLANs allowed by all sub-interfaces of a main interface cannot overlap.

The vlan allow-pass default command can be executed only on a sub-interface among allsub-interfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other QinQ or VLAN mapping entries on a sub-interface.

8. Run:

vlan stacking 8021p 8021p-value1 pe-vid pe-vid [ remark-8021p 8021p-value2 ]

802.1p priority-based selective QinQ is configured.

Parent topic: Configuring QinQ Tunneling

1.6.2 Configuring Termination Sub-interfaceto Access an L2VPN Network

A CE accesses the ISP network through PEs. User data packets sent by the CE to a PE containone or double tags. You need to connect the sub-interfaces on the PE to a VPN network to

enable CEs to communicate with each other.

Configuring a Sub-interface for Dot1q VLAN Tag Termination

Configuring a Sub-interface for QinQ VLAN Tag Termination

Configuring the L2VPN

Checking the Configuration


1.6.2.1 Configuring a Sub-interface for Dot1qVLAN Tag Termination

Context


17/76



A sub-interface for dot1q VLAN tag termination can terminate single-tagged user packets. Thefollowing operations are performed on a user-side interface of a PE.

Procedure

1. Run:

system-view

The system view is displayed.2. Run:



3. Run:

dot1q termination vid vid

The sub-interface is configured to terminate single-tagged packets.

NOTE:

After a sub-interface for VLAN tag termination is configured, ensure that ARP broardcast is enabledon the sub-interface. For details, see the arp broadcast enable command.

Parent topic: Configuring Termination Sub-interface to Access an L2VPN Network

1.6.2.2 Configuring a Sub-interface for QinQVLAN Tag Termination

Context

A sub-interface for QinQ VLAN tag termination can terminate double-tagged user packets.

Sub-interfaces for QinQ termination access an L2VPN in symmetrical mode or inasymmetrical mode. User packets access an L2VPN in different modes. PEs process these

packets in the ways described in the following tables.

Table 1 Packet processing on the inbound interface

Type of the Inbound Interface VLL/PWE3

Ethernet Encapsulation VLAN Encapsulation

Symmetrical Strips the outer tag. Reserves the double tags, and noaction is required.

Asymmetrical Strips the double tags. Strips two tags and then addsone tag.


18/76



Table 2 Packet processing on the outbound interface

Type of the Outbound Interface VLL/PWE3

Ethernet Encapsulation VLAN Encapsulation

Symmetrical Adds the outer tag. Replaces the outer tag.

Asymmetrical Adds double tags. Strips one tag and then addsdouble tags

The following operations are performed on a user-side interface of a PE.

Procedure

1. Run:

system-view

The system view is displayed.2. Run:



3. Run:

qinq termination l2 { symmetry | asymmetry }

The attributes of the QinQ termination sub-interface are configured.

By default, the QinQ termination sub-interface uses the asymmetrical mode.4. Run:

qinq termination pe-vid pe-vid ce-vid ce-vid

The sub-interface is configured to terminate double-tagged packets.

NOTE:



1.6.2.3 Configuring the L2VPN

Termination sub-interfaces support VLL access. You can configure L2VPN on the CE, PE,and P. For details, see "VLL Configuration" in the Huawei

AR150&AR160&AR200&AR1200&AR2200&AR3200 Series Enterprise Routers


19/76



Configuration Guide - VPN .


1.6.2.4 Checking the Configuration

Procedure

Run the display dot1q information termination [ interface interface-typeinterface-number [. subinterface-number ] ] command to check information about adot1q sub-interface.

Run the display qinq information termination [ interface interface-type interface-number [. subinterface-number ] ] command to check information about a QinQ sub-interface.

Run the display vll ccc [ ccc-name | type local ] command to check informationabout a CCC connection.

Run the display mpls static-l2vc command to check information about an SVCL2VPN VC.

Run the display mpls l2vc command on the PE to check information about theMartini VLL on the local PE.

Run the display mpls l2vc remote-info command on the PE to check informationabout the Martini VLL on the remote PE.


1.6.3 Configuring Termination Sub-interfaceto Access an L3VPN Network

A CE accesses the ISP network through PEs. User data packets sent by the CE to a PE containone or double tags. You need to connect the sub-interfaces on the PE to an L3VPN to enableCEs to communicate with each other.

Configuring a Sub-interface for Dot1q VLAN Tag Termination

Configuring a Sub-interface for QinQ VLAN Tag Termination

Configuring the L3VPN

Checking the Configuration


20/76




1.6.3.1 Configuring a Sub-interface for Dot1qVLAN Tag Termination

Context

A sub-interface for dot1q VLAN tag termination can terminate single-tagged user packets. Thefollowing operations are performed on a user-side interface of a PE.

Procedure

1. Run:

system-view


2. Run:



3. Run:

ip binding vpn-instance vpn-instance-name

The sub-interface is bound to the VPN instance.

4. Run:

ip address ip-address { mask | mask-length } [ sub ]

An IP address is configured for the Ethernet sub-interface.

NOTE:

When two or more IP addresses are configured for an Ethernet interface, the keyword sub must beused to indicate the second IP address and subsequent IP addresses.

5. Run:

dot1q termination vid vid

The sub-interface is configured to terminate single-tagged packets.

NOTE:




21/76



1.6.3.2 Configuring a Sub-interface for QinQVLAN Tag Termination

Context

A sub-interface for QinQ VLAN tag termination can terminate double-tagged user packets.The following operations are performed on a user-side interface of a PE.

Procedure

1. Run:

system-view


2. Run:



3. Run:

ip binding vpn-instance vpn-instance-name

The sub-interface is bound to the VPN instance.

4. Run:

ip address ip-address { mask | mask-length } [ sub ]

An IP address is configured for the Ethernet sub-interface.

NOTE:

When two or more IP addresses are configured for an Ethernet interface, the keyword sub must beused to indicate the second IP address and subsequent IP addresses.

5. Run:

qinq termination pe-vid pe-vid ce-vid ce-vid

The sub-interface is configured to terminate double-tagged packets.

NOTE:



1.6.3.3 Configuring the L3VPN


22/76


23/76



The qinq protocol command identifies incoming packets, and adds or changes the TPID value of outgoing packets.The protocol IDs set by the qinq protocol command cannot be the same as well-known protocol IDs.Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot

be set to 0x0806, which is the ARP protocol ID.

Procedure

1. Run:system-view


2. Run:

interface interface-type interface-number

The interface view is displayed.

3. Run:

qinq protocol protocol-id

The protocol type in the outer VLAN tag is set.

By default, the TPID value in the outer VLAN tag is 0x8100.


1.7 Configuration Examples

This section provides several configuration examples of QinQ.

Example for Configuring basic QinQ

Example for Configuring Selective QinQ

Example for Configuring VLL Access Through Dot1q Sub-interfaces

Example for Configuring a QinQ Sub-interface to Access a VLL Network

Example for Configuring a Sub-interface for Dot1q VLAN Tag Termination toAccess an L3VPN Network

Example for Configuring a Sub-interface for QinQ VLAN Tag Termination toAccess an L3VPN Network



24/76



1.7.1 Example for Configuring basic QinQ

Networking Requirements

As shown in Figure 1 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs areassigned.

The requirements are as follows:

VLANs are assigned independently in enterprise A, and are independent of carrier VLANs or VLANs of other enterprises.

Traffic between two branches of enterprise A is transparently transmitted through the public network, users using the same service in different branches of enterprise A areallowed to communicate, and users using different services must be isolated.

Figure 1 Networking diagram for configuring basic QinQ

Configuration Roadmap

The configuration roadmap is as follows:

You can configure the basic QinQ function on the CE connected to the PE and implementcommunication between two branches of enterprise A through VLAN 20 provided by thecarrier.

1. Create a bridge group and add a sub-interface to the bridge group.

2. Configure VLANs allowed by a sub-interface.

3. Configure basic QinQ on the CE interface connected to the PE so that the CE canthe S-VLAN tag to user packets.


25/76



4. Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 areallowed to pass through.

Procedure


system-view[Huawei] sysname CE1[CE1] bridge 1[CE1-bridge1] quit[CE1] interface gigabitethernet 0/0/0.1[CE1-GigabitEthernet0/0/0.1] bridge 1[CE1-GigabitEthernet0/0/0.1] bridge vlan-transmit enable

The configuration of CE2 is similar to that of CE1, and is not mentioned here.

2. Configure VLANs allowed by a sub-interface.

[CE1-GigabitEthernet0/0/0.1] vlan allow-pass vid 10 to 50


3. Configure CE1 interface connected to the PE to add a VLAN tag to user packets.[CE1-GigabitEthernet0/0/0.1] vlan dot1q-tunnel 20[CE1-GigabitEthernet0/0/0.1] quit


4. Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.

system-view[Huawei] sysname PE1[PE1] vlan batch 20[PE1] interface gigabitethernet 0/0/0[PE1-GigabitEthernet0/0/0] port link-type trunk[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20[PE1-GigabitEthernet0/0/0] quit[PE1] interface gigabitethernet 0/0/1[PE1-GigabitEthernet0/0/1] port link-type trunk[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20[PE1-GigabitEthernet0/0/1] quit

The configurations of PE2 and P are similar to the configuration of PE1, and are notmentioned here.

5. Verify the configuration.

On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other branch in enterprise A. The ping operation succeeds, indicating that usersusing the same service can communicate with each other.

Configuration Files

Configuration file of CE1

# sysname CE1#bridge 1#


26/76



interface GigabitEthernet0/0/0#interface GigabitEthernet0/0/0.1 bridge 1 bridge vlan-transmit enable vlan allow-pass vid 10 to 50

vlan dot1q-tunnel 20#return

Configuration file of CE2# sysname CE2#bridge 1#interface GigabitEthernet0/0/0#interface GigabitEthernet0/0/0.1 bridge 1 bridge vlan-transmit enable vlan allow-pass vid 10 to 50

vlan dot1q-tunnel 20#return

Configuration file of PE1

# sysname PE1# vlan batch 20#interface GigabitEthernet0/0/0 port link-type trunk

port trunk allow-pass vlan 20#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20#return


# sysname PE2# vlan batch 20#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20#return

Configuration file of P


27/76



# sysname P# vlan batch 20#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20#return

Parent topic: Configuration Examples

1.7.2 Example for Configuring Selective QinQ


As shown in Figure 1 , enterprise A has two branches that connect to the carrier network through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs areassigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services aretransmitted in VLAN 31 to VLAN 50.

The requirements are as follows:

VLANs are assigned independently in enterprise A, and are independent of carrier VLANs or VLANs of other enterprises.

Traffic between two branches of enterprise A is transparently transmitted through the public network, users using the same service in different branches of enterprise A areallowed to communicate, and users using different services must be isolated.

Voice services with high priority are transmitted first.

Figure 1 Networking diagram for configuring selective QinQ


28/76





You can configure selective QinQ on the CE user-side interface and implementcommunication between two branches of enterprise A through VLAN 20 and VLAN 21

provided by the carrier.


2. Configure VLANs allowed by the sub-interface on the user side of the CE,configure the CE user-side interface to add different outer VLAN tags to packetswith different user VLAN IDs, and re-mark voice services with high priority.

3. Add the CE interface connected to the PE, PE interface, and P interface to VLAN20 and VLAN 21 so that packets from VLAN 20 and VLAN 21 are allowed to passthrough.

Procedure


system-view[Huawei] sysname CE1[CE1] bridge 1[CE1-bridge1] quit[CE1] interface gigabitethernet 0/0/1.1[CE1-GigabitEthernet0/0/1.1] bridge 1[CE1-GigabitEthernet0/0/1.1] bridge vlan-transmit enable[CE1-GigabitEthernet0/0/1.1] quit[CE1] interface gigabitethernet 0/0/1.2


29/76



[CE1-GigabitEthernet0/0/1.2] bridge 1[CE1-GigabitEthernet0/0/1.2] bridge vlan-transmit enable[CE1-GigabitEthernet0/0/1.2] quit


2. Configure CE1 user-side interface to add VLAN tags to user packets and re-mark voice services with high priority.

[CE1] interface gigabitethernet 0/0/1.1

[CE1-GigabitEthernet0/0/1.1] vlan stacking vid 10 to 30 pe-vid 20[CE1-GigabitEthernet0/0/1.1] quit[CE1] interface gigabitethernet 0/0/1.2[CE1-GigabitEthernet0/0/1.2] vlan stacking vid 31 to 50 pe-vid 21 remark-8021p 7[CE1-GigabitEthernet0/0/1.2] quit


3. Add GE0/0/0 on CE1, and GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 and VLAN21 in trunk mode.

# Add GE10/0/0 on CE1 to VLAN 20 and VLAN 21 in trunk mode. The

configuration of CE2 is similar to that of CE1, and is not mentioned here.[CE1] vlan batch 20 to 21[CE1] interface gigabitethernet 0/0/0[CE1-GigabitEthernet0/0/0] port link-type trunk[CE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20 21[CE1-GigabitEthernet0/0/0] quit

# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 and VLAN 21 in trunk mode. Theconfigurations of PE2 and P are similar to the configuration of PE1, and are notmentioned here.

system-view[Huawei] sysname PE1[PE1] vlan batch 20 to 21[PE1] interface gigabitethernet 0/0/0[PE1-GigabitEthernet0/0/0] port link-type trunk[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20 21[PE1-GigabitEthernet0/0/0] quit[PE1] interface gigabitethernet 0/0/1[PE1-GigabitEthernet0/0/1] port link-type trunk[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 21[PE1-GigabitEthernet0/0/1] quit


On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other branch in enterprise A. The ping operation succeeds, indicating that usersusing the same service can communicate with each other.

Configuration Files


# sysname CE1# vlan batch 20 to 21#


30/76



bridge 1#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 to 21#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/1.1 bridge 1

bridge vlan-transmit enable vlan stacking vid 10 to 30 pe-vid 20#interface GigabitEthernet0/0/1.2 bridge 1

bridge vlan-transmit enable vlan stacking vid 31 to 50 pe-vid 21 remark 8021p 7#return


#

sysname CE2# vlan batch 20 to 21#bridge 1#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 to 21#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/1.1 bridge 1

bridge vlan-transmit enable vlan stacking vid 10 to 30 pe-vid 20#interface GigabitEthernet0/0/1.2 bridge 1

bridge vlan-transmit enable vlan stacking vid 31 to 50 pe-vid 21 remark 8021p 7#return


# sysname PE1# vlan batch 20 to 21#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 to 21#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 to 21#


31/76



return


# sysname PE2# vlan batch 20 to 21#interface GigabitEthernet0/0/0

port link-type trunk port trunk allow-pass vlan 20 to 21#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 to 21#return


# sysname P# vlan batch 20 to 21#interface GigabitEthernet0/0/0 port link-type trunk port trunk allow-pass vlan 20 to 21#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 to 21#return


1.7.3 Example for Configuring VLL AccessThrough Dot1q Sub-interfaces


As shown in Figure 1 , CE1 and CE2 are connected to PE1 and PE2 respectively throughVLANs.

A Martini VLL is created between CE1 and CE2 so that user networks connected to CE1 andCE2 can communicate.

Figure 1 Networking diagram for configuring a sub-interface for dot1q VLAN tag termination toaccess a VLL network


32/76





1. Configure an IGP on the PE and P devices on the backbone network to ensure

reachability between them, and enable MPLS.2. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel

for data transmission.

3. Enable MPLS L2VPN and create VC connections on the PEs.

4. Configure the dot1q sub-interfaces on the PE interfaces connecting to CEs toimplement VLL access.

Procedure

1. Configure IP addresses for interfaces on the CE, PE and P devices according toFigure 1 .

CE1 is used as an example.

# Configure CE1.

system-view[Huawei] sysname CE1[CE1] interface gigabitethernet 1/0/0.1[CE1-GigabitEthernet1/0/0] ip address 100.1.1.1 255.255.255.0[CE1-GigabitEthernet1/0/0] quit

The configuration details of other devices are not mentioned here.

2. Configure packets sent from CEs to PEs carry a VLAN tag.

This example uses VLAN 10.

# Configure CE1.

[CE1] interface gigabitethernet 1/0/0.1[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10[CE1-GigabitEthernet1/0/0.1] quit

# Configure CE2.

[CE2] interface gigabitethernet 1/0/0.1


33/76



[CE2-GigabitEthernet1/0/0.1] dot1q termination vid 10[CE2-GigabitEthernet1/0/0.1] quit

3. Configure IGP on the MPLS backbone network. (In this example, OSPF is used.)

When configuring OSPF, advertise the 32-bit addresses of loopback interfaces onPEs and P. The loopback interface addresses are the LSR IDs.

PE1 is used as an example.

# Configure PE1.

[PE1] ospf 1[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit


4. Configure the basic MPLS capabilities and MPLS LDP on the MPLS network.

# Configure PE1.

[PE1] mpls lsr-id 1.1.1.9[PE1] mpls[PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet2/0/0] mpls[PE1-GigabitEthernet2/0/0] mpls ldp[PE1-GigabitEthernet2/0/0] quit

# Configure the P.

[P] mpls lsr-id 2.2.2.9

[P] mpls[P-mpls] quit[P] mpls ldp[P-mpls-ldp] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] mpls[P-GigabitEthernet2/0/0] mpls ldp[P-GigabitEthernet2/0/0] quit[P] interface gigabitethernet 1/0/0[P-GigabitEthernet1/0/0] mpls[P-GigabitEthernet1/0/0] mpls ldp[P-GigabitEthernet1/0/0] quit

# Configure PE2.[PE2] mpls lsr-id 3.3.3.9[PE2] mpls[PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface gigabitethernet 1/0/0[PE2-GigabitEthernet1/0/0] mpls[PE2-GigabitEthernet1/0/0] mpls ldp[PE2-GigabitEthernet1/0/0] quit

5. Set up a remote LDP session between PEs.


34/76



# Configure PE1.

[PE1] mpls ldp remote-peer 3.3.3.9[PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9[PE1-mpls-ldp-remote-3.3.3.9] quit

# Configure PE2.


After the configuration, run the display mpls ldp session command on PE1 to viewthe establishment of the LDP session. You can find that an LDP session is set up

between PE1 and PE2.

Take the display on PE1 for example.

[PE1] display mpls ldp session

LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)

A '*' before a session means the session is being deleted.

------------------------------------------------------------------------------

PeerID Status LAM SsnRole SsnAge KASent/Rcv

------------------------------------------------------------------------------

2.2.2.9:0 Operational DU Passive 0000:00:11 46/45


------------------------------------------------------------------------------

TOTAL: 2 session(s) Found.

6. Enable MPLS L2VPN and create VCs on the PEs.

# Configure PE1: Create a VC on GE1/0/0.1, which is connected to CE1.

[PE1] mpls l2vpn[PE1-l2vpn] mpls l2vpn default martini[PE1-l2vpn] quit[PE1] interface gigabitethernet 1/0/0.1[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101[PE1-GigabitEthernet1/0/0.1] quit


[PE2] mpls l2vpn[PE2-l2vpn] mpls l2vpn default martini[PE2-l2vpn] quit[PE2] interface gigabitethernet 2/0/0.1[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 10


35/76



[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.9 101[PE2-GigabitEthernet2/0/0.1] quit


View the L2VPN connection information on the PEs, and you can see that an L2VCis set up and is in Up state.


[PE1] display mpls l2vc interface gigabitethernet 1/0/0.1 *client interface : GigabitEthernet1/0/0.1 is up

Administrator PW : no

session state : up

AC status : up

VC state : up

Label state : 0

Token state : 0VC ID : 101

VC type : VLAN

destination : 3.3.3.9

local group ID : 0 remote group ID : 0

local VC label : 1024 remote VC label : 1024

local AC OAM State : up

local PSN OAM State : up

local forwarding state : forwarding

local status code : 0x0

remote AC OAM state : up

remote PSN OAM state : up

remote forwarding state: forwarding

remote status code : 0x0

ignore standby state : no

BFD for PW : unavailable

VCCV State : up

manual fault : not set

active state : active


36/76



forwarding entry : exist

link state : up

local VC MTU : 1500 remote VC MTU : 1500

local VCCV : alert ttl lsp-ping bfd

remote VCCV : alert ttl lsp-ping bfd

local control word : disable remote control word : disable

tunnel policy name : --

PW template name : --

primary or secondary : primary

load balance type : flow

Access-port : false

Switchover Flag : false

VC tunnel/token info : 1 tunnels/tokens

NO.0 TNL type : lsp , TNL ID : 0x5

Backup TNL type : lsp , TNL ID : 0x0

create time : 0 days, 0 hours, 27 minutes, 15 seconds

up time : 0 days, 0 hours, 2 minutes, 22 seconds

last change time : 0 days, 0 hours, 2 minutes, 22 seconds

VC last up time : 2011/09/26 15:29:03

VC total up time : 0 days, 0 hours, 2 minutes, 22 seconds

CKey : 5

NKey : 4

PW redundancy mode : frr

AdminPw interface : --

AdminPw link state : --

Diffserv Mode : uniform

Service Class : --

Color : --

DomainId : --

Domain Name : --


37/76



CE1 and CE2 can ping each other.

Take the display on CE1 for example.

[CE1] ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=5 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=28 ms --- 100.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/15/31 ms

Configuration Files


# sysname CE1#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 dot1q termination vid 10 ip address 100.1.1.1 255.255.255.0#return


# sysname PE1#mpls lsr-id 1.1.1.9mpls#mpls l2vpn mpls l2vpn default martini#mpls ldp#mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 dot1q termination vid 10 mpls l2vc 3.3.3.9 101#interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp#


38/76



interface LoopBack1 ip address 1.1.1.9 255.255.255.255#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255#return

Configuration file of P# sysname P#mpls lsr-id 2.2.2.9mpls#mpls ldp#interface GigabitEthernet1/0/0 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp#interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255#return


# sysname PE2#mpls lsr-id 3.3.3.9mpls#mpls l2vpn mpls l2vpn default martini#mpls ldp#mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9#interface GigabitEthernet1/0/0 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp#


39/76



interface GigabitEthernet2/0/0#interface GigabitEthernet2/0/0.1 dot1q termination vid 10 mpls l2vc 1.1.1.9 101#interface LoopBack1 ip address 3.3.3.9 255.255.255.255#ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255#return


# sysname CE2#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 dot1q termination vid 10 ip address 100.1.1.2 255.255.255.0#return


1.7.4 Example for Configuring a QinQ Sub-interface to Access a VLL Network


As shown in Figure 1 , CE1 and CE2 are connected to PE1 and PE2 respectively throughVLANs.

A Martini VLL is created between CE1 and CE2 so that user networks connected to CE1 andCE2 can communicate.

Figure 1 Networking diagram for configuring a sub-interface for dot1q VLAN tag termination toaccess a VLL network


40/76


41/76



[CE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10[CE2-GigabitEthernet1/0/0.1] quit

3. Configure IGP on the MPLS backbone network. (In this example, OSPF is used.)

When configuring OSPF, advertise the 32-bit addresses of loopback interfaces onPEs and P. The loopback interface addresses are the LSR IDs.

PE1 is used as an example.

# Configure PE1.

[PE1] ospf 1[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit


4. Configure the basic MPLS capabilities and MPLS LDP on the MPLS network.

# Configure PE1.


# Configure the P.

[P] mpls lsr-id 2.2.2.9

[P] mpls[P-mpls] quit[P] mpls ldp[P-mpls-ldp] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] mpls[P-GigabitEthernet2/0/0] mpls ldp[P-GigabitEthernet2/0/0] quit[P] interface gigabitethernet 1/0/0[P-GigabitEthernet1/0/0] mpls[P-GigabitEthernet1/0/0] mpls ldp[P-GigabitEthernet1/0/0] quit


5. Set up a remote LDP session between PEs.


42/76



# Configure PE1.


# Configure PE2.


After the configuration, run the display mpls ldp session command on PE1 to viewthe establishment of the LDP session. You can find that an LDP session is set up

between PE1 and PE2.



LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)

A '*' before a session means the session is being deleted.

------------------------------------------------------------------------------

PeerID Status LAM SsnRole SsnAge KASent/Rcv

------------------------------------------------------------------------------



------------------------------------------------------------------------------

TOTAL: 2 session(s) Found.

6. Enable MPLS L2VPN and create VCs on the PEs.


[PE1] mpls l2vpn[PE1-l2vpn] mpls l2vpn default martini

[PE1-l2vpn] quit[PE1] interface gigabitethernet 1/0/0.1[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.9 101[PE1-GigabitEthernet1/0/0.1] quit


[PE2] mpls l2vpn[PE2-l2vpn] mpls l2vpn default martini[PE2-l2vpn] quit[PE2] interface gigabitethernet 2/0/0.1[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10


43/76



[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.9 101[PE2-GigabitEthernet2/0/0.1] quit


View the L2VPN connection information on the PEs, and you can see that an L2VCis set up and is in Up state.


[PE1] display mpls l2vc interface gigabitethernet 1/0/0.1 *client interface : GigabitEthernet1/0/0.1 is up

Administrator PW : no

session state : up

AC status : up

VC state : up

Label state : 0

Token state : 0VC ID : 101

VC type : VLAN

destination : 3.3.3.9

local group ID : 0 remote group ID : 0

local VC label : 1024 remote VC label : 1024

local AC OAM State : up

local PSN OAM State : up

local forwarding state : forwarding

local status code : 0x0

remote AC OAM state : up

remote PSN OAM state : up

remote forwarding state: forwarding

remote status code : 0x0

ignore standby state : no

BFD for PW : unavailable

VCCV State : up

manual fault : not set

active state : active


44/76



forwarding entry : exist

link state : up

local VC MTU : 1500 remote VC MTU : 1500

local VCCV : alert ttl lsp-ping bfd

remote VCCV : alert ttl lsp-ping bfd

local control word : disable remote control word : disable

tunnel policy name : --

PW template name : --

primary or secondary : primary

load balance type : flow

Access-port : false

Switchover Flag : false

VC tunnel/token info : 1 tunnels/tokens

NO.0 TNL type : lsp , TNL ID : 0x5

Backup TNL type : lsp , TNL ID : 0x0

create time : 0 days, 0 hours, 27 minutes, 15 seconds

up time : 0 days, 0 hours, 2 minutes, 22 seconds

last change time : 0 days, 0 hours, 2 minutes, 22 seconds

VC last up time : 2011/09/26 15:29:03

VC total up time : 0 days, 0 hours, 2 minutes, 22 seconds

CKey : 5

NKey : 4

PW redundancy mode : frr

AdminPw interface : --

AdminPw link state : --

Diffserv Mode : uniform

Service Class : --

Color : --

DomainId : --

Domain Name : --


45/76



CE1 and CE2 can ping each other.

Take the display on CE1 for example.

[CE1] ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=5 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=28 ms --- 100.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/15/31 ms

Configuration Files


# sysname CE1#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 qinq termination pe-vid 100 ce-vid 10 ip address 100.1.1.1 255.255.255.0#return


# sysname PE1#mpls lsr-id 1.1.1.9mpls#mpls l2vpn mpls l2vpn default martini#mpls ldp#mpls ldp remote-peer 3.3.3.9 remote-ip 3.3.3.9#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 qinq termination pe-vid 100 ce-vid 10 mpls l2vc 3.3.3.9 101#interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 mpls mpls ldp#


46/76



interface LoopBack1 ip address 1.1.1.9 255.255.255.255#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 10.1.1.0 0.0.0.255#return

Configuration file of P# sysname P#mpls lsr-id 2.2.2.9mpls#mpls ldp#interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 mpls mpls ldp#interface GigabitEthernet1/0/0 ip address 10.2.2.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255#return


# sysname PE2#mpls lsr-id 3.3.3.9mpls#mpls l2vpn mpls l2vpn default martini#mpls ldp#mpls ldp remote-peer 1.1.1.9 remote-ip 1.1.1.9#interface GigabitEthernet1/0/0 ip address 10.2.2.1 255.255.255.0 mpls mpls ldp#


47/76



interface GigabitEthernet2/0/0#interface GigabitEthernet2/0/0.1 qinq termination pe-vid 100 ce-vid 10 mpls l2vc 1.1.1.9 101#interface LoopBack1 ip address 3.3.3.9 255.255.255.255#ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 10.2.2.0 0.0.0.255#return


# sysname CE2#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 qinq termination pe-vid 100 ce-vid 10 ip address 100.1.1.2 255.255.255.0#return


1.7.5 Example for Configuring a Sub-interfacefor Dot1q VLAN Tag Termination to Access anL3VPN Network


As shown in Figure 1 , CE1 and CE3 belong to VPN-A and CE2 and CE4 belong to VPN-B.The VPN target of VPN-A is 111:1, and VPN target of VPN-B is 222:2. Users in differentVPNs cannot communicate with each other.

Figure 1 Networking diagram for configuring a sub-interface for dot1q VLAN tag termination toaccess an L3VPN network


48/76





1. Configure VPN instances on the PEs connecting to the CE on the backbonenetwork, bind the interfaces connected to CEs to the corresponding VPN instances,and specify the IP address of the interfaces connected to the CE.

2. Configure OSPF on the PEs to implement interconnection between PEs.

3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.

4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-IBGP) on PEs to exchange VPN routing information.

5. Configure EBGP on CEs and PEs to exchange VPN routing information.

6. Configure dot1q sub-interfaces on the PE interfaces connected to CEs to connect thedot1q sub-interfaces to the L3VPN network.

Procedure

1. Configure OSPF on the MPLS backbone network so that the PEs and Ps cancommunicate with each other.

# Configure PE1.

system-view[Huawei] sysname PE1[PE1] interface loopback 1[PE1-LoopBack1] ip address 1.1.1.9 32[PE1-LoopBack1] quit


49/76



[PE1] interface gigabitethernet 3/0/0[PE1-GigabitEthernet3/0/0] ip address 172.1.1.1 24[PE1-GigabitEthernet3/0/0] quit[PE1] ospf 1[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit

# Configure P. system-view[Huawei] sysname P[P] interface loopback 1[P-LoopBack1] ip address 2.2.2.9 32[P-LoopBack1] quit[P] interface gigabitethernet 1/0/0 [P-GigabitEthernet1/0/0] ip address 172.1.1.2 24[P-GigabitEthernet1/0/0] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] ip address 172.2.1.1 24[P-GigabitEthernet2/0/0] quit

[P] ospf[P-ospf-1] area 0[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[P-ospf-1-area-0.0.0.0] quit[P-ospf-1] quit

# Configure PE2.

system-view[Huawei] sysname PE2[PE2] interface loopback 1

[PE2-LoopBack1] ip address 3.3.3.9 32[PE2-LoopBack1] quit[PE2] interface gigabitethernet 3/0/0 [PE2-GigabitEthernet3/0/0] ip address 172.2.1.2 24[PE2-GigabitEthernet3/0/0] quit[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit

After the configuration is complete, OSPF neighbor relationships can be set up

between PE1, P, and PE2. Run the display ospf peer command. The commandoutput shows that the neighbor status is Full. Run the display ip routing-tablecommand. The command output shows that PEs have learned the routes toLoopback1 of each other.

The information displayed on PE1 is used as an example.

[PE1] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes : 11


50/76



Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1 2.2.2.9/32 OSPF 10 1 D 172.1.1.2 GigabitEthernet3/0/0 3.3.3.9/32 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

172.1.1.0/24 Direct 0 0 D 172.1.1.1 GigabitEthernet3/0/0 172.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0 172.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0 172.2.1.0/24 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

[PE1] display ospf peer

OSPF Process 1 with Router ID 1.1.1.9 Neighbors

Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet3/0/0)'s neighbors Router ID: 2.2.2.9 Address: 172.1.1.2 State: Full Mode:Nbr is Master Priority: 1

DR: 172.1.1.1 BDR: 172.1.1.2 MTU: 0Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:16:21 Authentication Sequence: [ 0 ]

2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbonenetwork to set up LDP LSPs.

# Configure PE1.


# Configure P.

[P] mpls lsr-id 2.2.2.9[P] mpls[P-mpls] quit[P] mpls ldp


51/76



[P-mpls-ldp] quit[P] interface gigabitethernet 1/0/0[P-GigabitEthernet1/0/0] mpls[P-GigabitEthernet1/0/0] mpls ldp[P-GigabitEthernet1/0/0] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] mpls[P-GigabitEthernet2/0/0] mpls ldp[P-GigabitEthernet2/0/0] quit


After the configuration is complete, LDP sessions can be set up between PE1 and

the P and between the P and PE2. Run the display mpls ldp session command. Thecommand output shows that the Status field is Operational . Run the display mplsldp lsp command. Information about the established LDP LSPs is displayed.



LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted.

------------------------------------------------------------------------------

PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Active 0000:00:01 6/6 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found.

[PE1] display mpls ldp lsp

LDP LSP Information ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface

------------------------------------------------------------------------------- 1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0

*1.1.1.9/32 Liberal/1024 DS/2.2.2.92.2.2.9/32 NULL/3 - 172.1.1.2 GE3/0/0

2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 GE3/0/0

3.3.3.9/32 NULL/1025 - 172.1.1.2 GE3/0/0


52/76



3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 GE3/0/0

------------------------------------------------------------------------------- TOTAL: 5 Normal LSP(s) Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. A '*' before an LSP means the LSP is not established

A '*' before a Label means the USCB or DSCB is stale

A '*' before a UpstreamPeer means the session is stale

A '*' before a DS means the session is stale

A '*' before a NextHop means the LSP is FRR LSP

3. Configure packets sent from CEs to PEs carry a VLAN tag.

Here, the VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and the VLANID in packets sent by CE2 and CE4 is VLAN 20.

# Configure CE1.

system-view[Huawei] sysname CE1[CE1] interface gigabitethernet 1/0/0.1[CE1-GigabitEthernet1/0/0.1] ip address 100.1.1.1 255.255.255.0[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10[CE1-GigabitEthernet1/0/0.1] quit

# Configure CE2.


# Configure CE3.


# Configure CE4.


4. Configure VPN instances on PEs and bind the instances to the interfaces connectedto CEs.

# Configure PE1.

[PE1] ip vpn-instance vpna


53/76



[PE1-vpn-instance-vpna] ipv4-family[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[PE1-vpn-instance-vpna-af-ipv4] quit[PE1-vpn-instance-vpna] quit[PE1] ip vpn-instance vpnb[PE1-vpn-instance-vpnb] ipv4-family[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both[PE1-vpn-instance-vpna-af-ipv4] quit[PE1-vpn-instance-vpnb] quit[PE1] interface gigabitethernet 1/0/0.1[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10[PE1-GigabitEthernet1/0/0.1] quit[PE1] interface gigabitethernet 2/0/0.1[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb[PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24[PE1-GigabitEthernet2/0/0.1] dot1q termination vid 20[PE1-GigabitEthernet2/0/0.1] quit

# Configure PE2.

[PE2] ip vpn-instance vpna[PE2-vpn-instance-vpna] ipv4-family[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[PE2-vpn-instance-vpna-af-ipv4] quit[PE2-vpn-instance-vpna] quit[PE2] ip vpn-instance vpnb[PE2-vpn-instance-vpnb] ipv4-family[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both[PE2-vpn-instance-vpnb-af-ipv4] quit[PE2-vpn-instance-vpnb] quit[PE2] interface gigabitethernet 1/0/0.1[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10[PE2-GigabitEthernet1/0/0.1] quit[PE2] interface gigabitethernet 2/0/0.1[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20[PE2-GigabitEthernet2/0/0.1] quit

After the configuration is complete, run the display ip vpn-instance verbosecommand on the PEs to check the configuration of VPN instances. Each PE can

ping its connected CE.

NOTE:

If a PE has multiple interfaces bound to the same VPN instance, specify a source IP addresses bysetting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the remote CE. If the source IP address is not specified, the pingoperation fails.


[PE1] display ip vpn-instance verbose


54/76


55/76



After the configuration is complete, run the display bgp peer or display bgp vpnv4all peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs.

[PE1] display bgp peer

BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down StatePrefRcv

3.3.3.9 4 100 12 6 0 00:02:21 Established 0

[PE1] display bgp vpnv4 all peer

BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down StatePrefRcv

3.3.3.9 4 100 12 18 0 00:09:38 Established 0

6. Set up EBGP peer relationships between the PEs and CEs and import VPN routesinto BGP.

# Configure CE1.

[CE1] bgp 65410[CE1-bgp] peer 10.1.1.2 as-number 100[CE1-bgp] import-route direct[CE1-bgp] quit

NOTE:

The configuration on other CEs is similar to the configuration on CE1 and is not mentioned here.

# Configure PE1.

[PE1] bgp 100[PE1-bgp] ipv4-family vpn-instance vpna[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410[PE1-bgp-vpna] import-route direct

[PE1-bgp-vpna] quit[PE1-bgp] ipv4-family vpn-instance vpnb[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420[PE1-bgp-vpnb] import-route direct[PE1-bgp-vpnb] quit[PE1-bgp] quit

NOTE:

The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

After the configuration is complete, run the display bgp vpnv4 vpn-instance peercommand on the PEs. The command output shows that BGP peer relationships have


56/76


57/76



Destination/Mask Proto Pre Cost Flags NextHop Interface

10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet2/0/0 10.2.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet3/0/0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.

For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.

[CE1] ping 10.3.1.1 PING 10.3.1.1: 56 data bytes, press CTRL_C to break Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms

Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms --- 10.3.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms[CE1] ping 10.4.1.1 PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out

--- 10.4.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss

Configuration Files


# sysname PE1#

ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity#ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity# mpls lsr-id 1.1.1.9


58/76



mpls#mpls ldp#interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0.1 dot1q termination vid 10 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0#interface GigabitEthernet2/0/0.1 dot1q termination vid 20 ip binding vpn-instance vpnb ip address 10.2.1.2 255.255.255.0#interface GigabitEthernet3/0/0 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp

#interface LoopBack1 ip address 1.1.1.9 255.255.255.255#bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4

policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.1 as-number 65410# ipv4-family vpn-instance vpnb import-route direct peer 10.2.1.1 as-number 65420#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255#return


# sysname P# mpls lsr-id 2.2.2.9 mpls#


59/76



mpls ldp#interface GigabitEthernet1/0/0 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp#interface GigabitEthernet2/0/0 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255#return

Configuration file of PE2# sysname PE2#ip vpn-instance vpna

ipv4-familyroute-distinguisher 200:1

vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity#ip vpn-instance vpnb

ipv4-familyroute-distinguisher 200:2

vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity# mpls lsr-id 3.3.3.9 mpls#mpls ldp#interface GigabitEthernet1/0/0

#interface GigabitEthernet1/0/0.1 dot1q termination vid 10 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0#interface GigabitEthernet2/0/0#interface GigabitEthernet2/0/0.1 dot1q termination vid 20 ip binding vpn-instance vpnb ip address 10.4.1.2 255.255.255.0#


60/76



interface GigabitEthernet3/0/0 ip address 172.2.1.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 3.3.3.9 255.255.25

qinq configuration.pdf

Documents