Operation Manual - Vlan-Qinq H3C S9500 Series Routing Switches

Operation Manual VLAN-QinQ H3C S9500 Series Routing Switches
Table of Contents
Table of Contents
Chapter 1 VLAN Configuration .................................................................................................. 1-1 1.1 VLAN Overview ................................................................................................................ 1-1 1.2 Configuring VLAN ............................................................................................................ 1-1 1.2.1 Creating/Deleting a VLAN ...................................................................................................1-1 1.2.2 Specifying a Description Character String for a VLAN or VLAN interface ...................1-2 1.2.3 Naming the Current VLAN ..................................................................................................1-2 1.2.4 Creating/Removing a VLAN Interface ...............................................................................1-3 1.2.5 Shutting down/Bringing up a VLAN Interface ...................................................................1-3 1.3 Configuring Port-Based VLAN ........................................................................................ 1-4 1.3.1 Adding Ethernet Ports to a VLAN .......................................................................................1-4 1.4 Configuring Protocol-Based VLAN ................................................................................. 1-4 1.4.1 Creating/Deleting a VLAN Protocol Type ..........................................................................1-4 1.4.2 Associating/Dissociating a Port with/from a Protocol-Based VLAN ..............................1-4 1.5 Configure the CPU Port in an VLAN............................................................................... 1-5 1.6 Displaying and Debugging a VLAN ................................................................................ 1-6 1.7 VLAN Configuration Example ......................................................................................... 1-6 Chapter 2 GARP/GVRP Configuration ..................................................................................... 2-1 2.1 Configuring GARP............................................................................................................ 2-1 2.1.1 GARP Overview ....................................................................................................................2-1 2.1.2 Setting the GARP Timer ......................................................................................................2-2 2.1.3 Displaying and Debugging GARP......................................................................................2-3 2.2 Configuring GVRP............................................................................................................ 2-3 2.2.1 GVRP Overview ....................................................................................................................2-3 2.2.2 Enabling/Disabling Global GVRP .......................................................................................2-4 2.2.3 Enabling/Disabling Port GVRP ...........................................................................................2-5 2.2.4 Setting the GVRP Registration Type .................................................................................2-5 2.2.5 Displaying and Debugging GVRP......................................................................................2-6 2.2.6 GVRP Configuration Example ............................................................................................2-6 Chapter 3 Super VLAN Configuration ...................................................................................... 3-1 3.1 Super VLAN Overview ..................................................................................................... 3-1 3.2 Configuring a Super VLAN .............................................................................................. 3-1 3.2.1 Configuration Tasks ..............................................................................................................3-1 3.2.2 Super VLAN Configuration Example .................................................................................3-3 Chapter 4 Isolate-user-VLAN Configuration ........................................................................... 4-1 4.1 Isolate-user-VLAN Overview ........................................................................................... 4-1 4.2 Configuration Tasks ......................................................................................................... 4-1 4.2.1 Configuring an isolate-user-VLAN......................................................................................4-2
i
Table of Contents
4.2.2 Configuring a Secondary VLAN .........................................................................................4-2 4.2.3 Mapping an isolate-user-vlan to Secondary VLANs .......................................................4-3 4.3 Displaying and Debugging an isolate-user-VLAN ......................................................... 4-4 4.4 Isolate-user-VLAN Configuration Example .................................................................... 4-4 Chapter 5 Q-in-Q Configuration ................................................................................................ 5-1 5.1 Q-in-Q Overview .............................................................................................................. 5-1 5.1.1 Introduction to Q-in-Q ...........................................................................................................5-1 5.1.2 Implementation of Q-in-Q ....................................................................................................5-2 5.1.3 Adjusting TPID Values of Q-in-Q Packets .........................................................................5-2 5.2 Configuration of VLAN VPN Feature on a Port ............................................................. 5-3 5.2.1 Configuration Prerequisites .................................................................................................5-3 5.2.2 Configuration procedure ......................................................................................................5-3 5.3 Traffic ClassificationBased Nested VLAN Configuration ............................................ 5-4 5.3.1 Configuration prerequisites..................................................................................................5-4 5.3.2 Configuration procedure ......................................................................................................5-4 5.3.3 Traffic Classification-Based Nested VLAN Configuration Example ..............................5-6 5.4 Adjusting TPID Values for Q-in-Q Packets ..................................................................... 5-8 5.4.1 Configuration Prerequisites .................................................................................................5-8 5.4.2 Configuration Tasks ..............................................................................................................5-9 5.4.3 TPID Value Configuration Example ...................................................................................5-9
ii
Chapter 1 VLAN Configuration

1.1 VLAN Overview
Virtual local area network (VLAN) groups the devices in a LAN logically, not physically, into segments to form virtual workgroups. IEEE issued the IEEE 802.1Q in 1999 to standardize the VLAN implementations. The VLAN technology allows network administrators to logically divide a physical LAN into different broadcast domains or the so-called virtual LANs. Every VLAN contains a group of workstations with the same demands. The workstations, physically separated, are not necessarily on the same physical LAN segment. You can establish VLANs of the following types on switches:
z z z z
Port-based MAC address-based IP multicast-based (A multicast group can be a VLAN.) Network layer-based (A VLAN can be established by the network layer addresses or protocols of the hosts.)
With the VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs. This is helpful to control network traffic, save device investment, simplify network management and enhance security.
1.2 Configuring VLAN

Before you can configure a VLAN, create one as required. The following sections describe VLAN configuration tasks:
z z z z z
Creating/Deleting a VLAN Specifying a Description Character String for a VLAN or VLAN interface Naming the Current VLAN Creating/Removing a VLAN Interface Shutting down/Bringing up a VLAN Interface
1.2.1 Creating/Deleting a VLAN

You can use the following commands to create/delete a VLAN. If the VLAN to be created exists, the system will enter the VLAN view directly. Otherwise, the system will create the VLAN first, and then enter the VLAN view. Perform the following configuration in system view.
1-1
Table 1-1 Create/Delete a VLAN or VLANs Operation Create a VLAN and enter the VLAN view Create VLANs in batch Delete an VLAN or VLANs vlan vlan-id vlan vlan-id-list undo vlan { vlan-id [ to vlan-id ] | all } Command
Caution:
z z z z
VLAN 1 is the system-default VLAN and cannot be removed. VLANs with their ports being VLAN VPN-enabled cannot be removed. Guest VLANs cannot be deleted. Protocol-enabled VLANs cannot be deleted.
1.2.2 Specifying a Description Character String for a VLAN or VLAN interface

You can use the following commands to specify a description character string for a VLAN or VLAN interface. Perform the following configuration in VLAN view or VLAN interface view. Table 1-2 Specify a description character string for a VLAN or VLAN interface Operation Specify a description character string for a VLAN or VLAN interface Restore the default description of the current VLAN or VLAN interface Command description string undo description
By default, the description character string of a VLAN is the VLAN ID of the VLAN, such as VLAN 0001. The description character string of a VLAN interface is the VLAN interface name, such as Vlan-interface1 Interface.
1.2.3 Naming the Current VLAN

You can use the following command to name the current VLAN. Perform the following configuration in VLAN view.
1-2
Table 1-3 Name the current VLAN Operation Name the current VLAN Restore the default name of the current VLAN name undo name Command
By default, the name of the current VLAN is its VLAN ID.
1.2.4 Creating/Removing a VLAN Interface

You can use the following commands to create/remove a VLAN interface. To implement the network layer function on a VLAN interface, IP address and mask should be set to the VLAN interface. For corresponding configuration, refer to Network protocol part in this manual. Perform the following configuration in system view. Table 1-4 Create/remove a VLAN interface Operation Create a new VLAN interface and enter the VLAN interface view Remove a specified VLAN interface Command interface vlan-interface vlan-id undo interface vlan-interface vlan-id
Create a VLAN before creating a VLAN interface corresponding to the VLAN.
1.2.5 Shutting down/Bringing up a VLAN Interface

You can use the following commands to shut down/bring up a VLAN interface. Perform the following configuration in VLAN interface view. Table 1-5 Shut down/bring up a VLAN interface Operation Shut down a VLAN interface Bring up a VLAN interface shutdown undo shutdown Command
Shutting down or bringing up a VLAN interface has no effect on the status of any Ethernet port in this VLAN. By default, when all the Ethernet ports in a VLAN are in the Down state, this VLAN interface is also Down. When there are one or more Ethernet ports in the Up state, this VLAN interface is also Up.
1-3
1.3 Configuring Port-Based VLAN

1.3.1 Adding Ethernet Ports to a VLAN
You can use the following commands to add the Ethernet ports to a VLAN. Perform the following configuration in VLAN view. Table 1-6 Add Ethernet ports to a VLAN Operation Add Ethernet ports to a VLAN Remove Ethernet ports from a VLAN Command port interface-list undo port interface-list
By default, the system adds all the ports to a default VLAN whose ID is 1. Note that you can add/remove the trunk and Hybrid ports to/from a VLAN by the port/undo port commands in Ethernet port view, but not in VLAN view.
1.4 Configuring Protocol-Based VLAN

The following sections describe the protocol-based VLAN configuration tasks:
z z
Creating/Deleting a VLAN Protocol Type Associating/Dissociating a Port with/from a Protocol-Based VLAN
1.4.1 Creating/Deleting a VLAN Protocol Type

You can use the following commands to create/delete a VLAN protocol type. Perform the following configuration in VLAN view. Table 1-7 Create/Delete a VLAN protocol type Operation Command protocol-vlan [ protocol-index ] { at | ipx { ethernetii | llc | raw | snap } { ipv4 ip-address [ net-mask ] | mode { ethernetii etype etype-id | llc dsap dsap-id ssap ssap-id | snap etype etype-id } } undo protocol-vlan protocol-end ] | all } { protocol-index [ to
Create a VLAN protocol type
Delete an existing protocol type
VLAN
1.4.2 Associating/Dissociating a Port with/from a Protocol-Based VLAN

Perform the following configuration in Ethernet port view.
1-4
Table 1-8 Associate/Dissociate a port with/from a protocol-based VLAN Operation Associate a port protocol-based VLAN with a Command port hybrid protocol-vlan vlan vlan-id { vlan-protocol-list | all } undo port hybrid protocol-vlan vlan { vlan-id { vlan-protocol-list | all } | all }
Remove a port from a protocol-based VLAN
Note:
z
The port to be associated with a protocol-based VLAN must be of Hybrid type and in this VLAN. The same protocol can be configured in the different VLANs, but cannot be configured repeatedly in the same VLAN. A port cannot be associated with different VLANs with the same protocols configured. You cannot delete a protocol-based VLAN that has ports associated with. You cannot delete a protocol-based VLAN on a port while the port is associated with the VLAN.
z z
1.5 Configure the CPU Port in an VLAN

The CPU is a special port in the S9500 series routing switches. By default, because the CPU port is in a VLAN, when common broadcast packets and unknown multicast packets are broadcast within a VLAN, these packets will also be broadcast to the CPU. To prevent waste of CPU resources, you can move the CPU port out of the VLAN, so that common broadcast packets and unknown multicast packets will not be handed to the CPU for processing. You can use the following command to move the CPU port out of the VLAN. Perform the following configuration in VLAN view. Table 1-9 Move the CPU port out of/into the VLAN Operation Move the CPU port out of the VLAN Move the CPU port into the VLAN Command trap-to-cpu disable undo trap-to-cpu disable
By default, the CPU port is in the VLAN. You can also move the CPU ports out of/into all the VLANs at a time. Perform the following configuration in system view.
1-5
Table 1-10 Move the CPU port out of/into the specified VLANs Operation Move the CPU port out of the specified VLANs Move the CPU port into the specified VLANs Command trap-to-cpu disable vlan { vlan_list | all } undo trap-to-cpu { vlan_list | all } disable vlan
1.6 Displaying and Debugging a VLAN

After the above configuration, execute the display command in any view to display the running of the VLAN configuration, and to verify the configuration. Table 1-11 Display and Debug a VLAN Operation Display the related information about the VLAN interface Display the related information about the VLAN Display the protocol information and protocol index configured on the specified VLAN Display the protocol information and protocol index configured on the specified port Display information about CPU port in a VLAN display [ vlan-id ] Command interface vlan-interface
display vlan[ vlan-id to vlan-id | all | static | dynamic ] display protocol-vlan vlan { vlan-list | all } display protocol-vlan { interface-list | all } display trap-to-cpu interface
1.7 VLAN Configuration Example

I. Network requirements
z z z
Create VLAN 2 and VLAN 3. Add Ethernet3/1/1 and Ethernet4/1/1 to VLAN 2. Add Ethernet3/1/2 and Ethernet4/1/2 to VLAN 3.
1-6
II. Network diagram

Switch
E3/1/1 E4/1/1
E3/1/2 E4/1/2
VLAN 2
VLAN 3
Figure 1-1 Network diagram for VLAN configuration
III. Configuration procedure

# Create VLAN 2 and enter its view.
[H3C] vlan 2
# Add Ethernet3/1/1 and Ethernet4/1/1 to VLAN 2.

[H3C-vlan2] port ethernet3/1/1 ethernet4/1/1
# Create VLAN 3 and enters its view.

[H3C-vlan2] vlan 3
# Add Ethernet3/1/2 and Ethernet4/1/2 to VLAN 3.

[H3C-vlan3] port ethernet3/1/2 ethernet4/1/2
1-7
Chapter 2 GARP/GVRP Configuration

2.1 Configuring GARP
2.1.1 GARP Overview
Generic attribute registration protocol (GARP) offers a mechanism that is used by the members in the same switching network to distribute, propagate and register such information as VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP (GARP VLAN registration protocol) and GMRP. When a GARP participant is on a port of the switch, this port corresponds to a GARP participant. The GARP mechanism enables the configuration information on one GARP member to be propagated rapidly across the whole switching network. A GARP member can be a terminal workstation or a bridge. The GARP member can notify other members to register or remove its attribute information by sending declarations or withdrawing declarations. It can also register or remove the attribute information of other GARP members according to the received declarations/withdrawn declarations. GARP members exchange information by sending messages. There are mainly three types of GARP messages, Join, Leave, and LeaveAll. When a GARP participant wants to register its attribute information with other switches, it sends the Join message outward. When it wants to remove some attribute information from other switches, it sends the Leave message. The LeaveAll timer is started simultaneously when each GARP participant is enabled and the LeaveAll message is sent upon expiration. The Join and Leave messages cooperate to ensure the logout and the re-registration of a message. The message exchange enables all the to-be-registered attribute information to be propagated to all the switches across the same switching network. The destination MAC addresses of the packets of the GARP participants are specific multicast MAC addresses. A GARP-supporting switch classifies the packets received from the GARP participants and processes them with corresponding GARP applications (GVRP or GMRP). GARP and GMRP are described in details in the IEEE 802.1P standard (which has been added to the IEEE802.1D standard). H3C series switches fully support the GARP compliant with the IEEE standards. The following section describes the GARP configuration task:
z
Setting the GARP Timer
2-1
Note:
z
The value of GARP timer will be used in all the GARP applications, including GVRP and GMRP, running in one switched network. In one switched network, the GARP timers on all the switching devices should be set to the same value. Otherwise, GARP application cannot work normally.
2.1.2 Setting the GARP Timer

GARP timers include Hold timer, Join timer, Leave timer and LeaveAll timer. The GARP participant sends the Join Message regularly when Join timer times out so that other GARP participants can register its attribute values. When the GARP participant wants to remove some attribute values, it sends the Leave Message. The GARP participant that receives the message starts the Leave timer. If the Join Message is not received again before the Leave timer expires, the GARP attribute values are removed LeaveAll timer is started as soon as the GARP participant is enabled. The LeaveAll message is sent upon timeout so that other GARP participants remove all the attribute values of this participant. Then, LeaveAll timer is restarted and a new cycle begins. When the switch receives some GARP registration information, it does not send the Join Message immediately. Instead, it enables a Hold timer and sends the Join Message upon timeout of the Hold timer. In this way, all the VLAN registration information received within the time specified by the Hold timer can be sent in one frame so as to save the bandwidth resources. Configure Hold timer, Join timer and Leave timer in Ethernet port view. Configure LeaveAll timer in system view. Table 2-1 Set the GARP timer Operation Set GARP Hold timer, Join timer and Leave timer Set GARP LeaveAll timer Restore the default settings of GARP Hold timer, Join timer and Leave timer Restore the default settings of GARP LeaveAll timer Command garp timer { hold | join | leave } timer-value garp timer leaveall timer-value undo garp timer { hold | join | leave } undo garp timer leaveall
By default, Hold timer is 10 centiseconds, Join timer is 20 centiseconds, Leave timer is 60 centiseconds, and LeaveAll timer is 1000 centiseconds.
2-2
Note that, the value of Join timer should be no less than the doubled value of Hold timer, and the value of Leave timer should be greater than the doubled value of Join timer and smaller than the Leaveall timer value. Besides, you must set the value of the Join timer in terms of 5 centiseconds. Otherwise, the system will prompt message of error. The value range of a timer varies with the values of other timers. So if the value of a timer you want to set is not within the available value range, you can change the value range by changing the values of other related timers.
z
The lower limit of Hold timer is 10 centiseconds. You can change its upper limit by changing the value of Join timer. You can change the lower limit and upper limit of Join timer by changing the value of Hold timer and Leave timer respectively. You can change the lower limit and upper limit of Leave timer by changing the value of Join timer and LeaveAll timer respectively. The upper limit of LeaveAll timer is 32765 centiseconds. You can change its lower limit by changing the value of Leave timer.
2.1.3 Displaying and Debugging GARP

After the above configuration, execute the display command in any view to display the running of GARP configuration, and to verify the configuration. Execute the reset command in user view to reset the configuration of GARP. Execute the debugging command in user view to debug the configuration of GARP. Table 2-2 Display and debug GARP Operation Display GARP information Display GARP timer Clear GARP statistics information Enable GARP event debugging Disable GARP event debugging statistics display garp interface-list ] Command statistics [ interface
display garp timer [ interface interface-list ] reset garp interface-list ] statistics [ interface
debugging garp event undo debugging garp event
2.2 Configuring GVRP

2.2.1 GVRP Overview
GARP VLAN Registration Protocol (GVRP) is a GARP application. Based on GARP operating mechanism, GVRP provides maintenance of the dynamic VLAN registration information in the switch and propagates the information to other switches. All the GVRP-supporting switches can receive VLAN registration information from other
2-3
switches and dynamically update the local VLAN registration information including the active members and through which port those members can be reached. All the GVRP-supporting switches can propagate their local VLAN registration information to other switches so that the VLAN information can be consistent on all GVRP-supporting devices in one switching network. The VLAN registration information propagated by GVRP includes both the local static registration information configured manually and the dynamic registration information from other switches. GVRP is described in details in the IEEE 802.1Q standard. H3C series switches fully support the GARP compliant with the IEEE standards. Main GVRP configuration includes:
z z z
Enabling/Disabling Global GVRP Enabling/Disabling Port GVRP Setting the GVRP Registration Type
In the above-mentioned configuration tasks, GVRP should be enabled globally before it is enabled on the port. Configuration of GVRP registration type can only take effect after the port GVRP is enabled. Besides, GVRP must be configured on the Trunk port.
Note:
z
When you configure an aggregation group, the GVRP feature configured on the master port is unchanged, but that on the slave port is disabled. When you add a port to an existing aggregation group, the GVRP feature on the port is disabled. When the master port leaves an aggregation group, the GVRP feature on both the group and port is unchanged; when a slave port leaves an aggregation group, the GVRP feature on the port is disabled.
When you configure GVRP feature on any port in an aggregation group, the configuration is mapped to the master port of the group. When you query the GVRP feature configured on any port in an aggregation group, the returned result is about the master port of the group.
2.2.2 Enabling/Disabling Global GVRP

You can use the following command to enable/disable global GVRP. Perform the following configurations in system view.
2-4
Table 2-3 Enable/disable global GVRP Operation Enable global GVRP Disable global GVRP gvrp undo gvrp Command
By default, global GVRP is disabled.
2.2.3 Enabling/Disabling Port GVRP

You can use the following command to enable/disable the GVRP on a port. Perform the following configurations in Ethernet port view. Table 2-4 Enable/disable port GVRP Operation Enable port GVRP Disable port GVRP gvrp undo gvrp Command
GVRP should be enabled globally before it is enabled on the port. The GVRP can be enabled/disabled only on Trunk ports. By default, port GVRP is disabled.
2.2.4 Setting the GVRP Registration Type

The GVRP registration types include normal, fixed and forbidden (refer to IEEE 802.1Q).
z
When an Ethernet port is set to be in normal registration mode, the dynamic and manual creation, registration and deregistration of VLAN are allowed on this port. When a Trunk port is set to be in fixed mode, the port is not allowed to dynamically register/deregister a VLAN, it only propagates information about static VLANs that are manually configured instead of that of dynamic VLANs. That is, a Trunk port that is of fixed type only permits manually configured VLANs even you configure it to permit all VLANs.
When an Ethernet port is set to be in forbidden registration mode, all the VLANs except VLAN1 will be deregistered and no other VLANs can be created and registered on this port.
Perform the following configuration in Ethernet port view.
2-5
Table 2-5 Set the GVRP registration type Operation Set GVRP registration type Restore the default GVRP registration type Command gvrp registration { normal | fixed | forbidden } undo gvrp registration
By default, GVRP registration type is normal.
2.2.5 Displaying and Debugging GVRP

After the above configuration, execute the display command in any view to display the running of GVRP configuration, and to verify the configuration. Execute the debugging command in user view to debug the configuration of GVRP. Table 2-6 Display and debug GVRP Operation Display GVRP statistics information Display GVRP global status information Enable GVRP debugging Disable GVRP debugging packet packet or or event event Command display gvrp statistics [ interface interface-list ] display gvrp status debugging gvrp { packet | event} undo debugging gvrp { packet | event }
2.2.6 GVRP Configuration Example

To dynamically register and update VLAN information among switches, GVRP needs to be enabled on the switches.
II. Network diagram

E3/1/1 E4/1/1 Switch B
Switch A
Figure 2-1 GVRP configuration example

Configure Switch A:
2-6
# Enable GVRP globally.

[H3C] gvrp
# Set Ethernet3/1/1 as a Trunk port and allows all the VLANs to pass through.
[H3C] interface ethernet3/1/1 [H3C-Ethernet3/1/1] port link-type trunk [H3C-Ethernet3/1/1] port trunk permit vlan all
# Enable GVRP on the Trunk port.

[H3C-Ethernet3/1/1] gvrp
Configure Switch B: # Enable GVRP globally.

[H3C] gvrp
# Set Ethernet4/1/1 as a Trunk port and allows all the VLANs to pass through.
[H3C] interface ethernet4/1/1 [H3C-Ethernet4/1/1] port link-type trunk [H3C-Ethernet4/1/1] port trunk permit vlan all
# Enable GVRP on the Trunk port.

[H3C-Ethernet4/1/1] gvrp
2-7
Chapter 3 Super VLAN Configuration

3.1 Super VLAN Overview
Super VLAN is also called VLAN aggregation. The following is the fundamental principle: A super VLAN contains multiple sub VLANs. A super VLAN can be configured with an IP address of the virtual port, while a sub VLAN cannot be configured with the IP address of the virtual port. Each sub VLAN is a broadcast domain. Different sub VLANs are isolated at Layer 2. When users in a sub VLAN need to communicate with each other, they use the IP address of the virtual interface of the super VLAN as the IP address of the gateway. The IP address is shared by multiple VLANs. Therefore IP addresses are saved. If different sub VLANs want to communicate with one another at Layer 3, or a sub VLAN communicates with other networks, you can enable ARP proxy. The address resolution protocol (ARP) proxy can forward and process ARP request and response packets so that the isolated sub VLANs can communicate with each other at Layer 3. By default, ARP proxy is disabled in a sub VLAN.
3.2 Configuring a Super VLAN

Super VLAN configuration includes:
z z z z
Configure a VLAN to be a super VLAN Configure sub VLANs Establish mappings between the super VLAN and the sub VLANs Enable ARP proxy for the sub VLANs
3.2.1 Configuration Tasks
Note:
z
You can configure multiple super VLANs for a switch. The configured VLAN port and IP address configurations are the same as common VLAN configurations. A sub VLAN configuration is the same as a common VLAN configuration. The following table describes the specific commands to configure a sub VLAN. For detailed information, refer to Chapter 1 VLAN Configuration.
You can configure a super VLAN as follows:
3-1
Table 3-1 Configure a super VLAN Operation Enter system view Enter VLAN view Set the VLAN type to super VLAN Exit from VLAN view Super Command system-view vlan vlan-id supervlan Required Required. The VLAN-ID is the configured VLAN ID in the range 1 to 4094. Description
quit
Create a sub VLAN and enter sub VLAN view Add Ethernet ports to sub a VLAN Exit from Sub VLAN view Enter Super VLAN view Configure the mapping relation between super VLAN and sub VLANs Enable ARP proxy for the sub VLAN Display configuration information
vlan vlan-id
Required
port interface-list quit vlan vlan-id
Optional -
subvlan sub-vlan-list
Required.
arp proxy enable
Optional. This command is necessary for multiple sub VLANs to communicate with one another. vlan Optional. You can execute the display super vlan command in any view.
display super [ supervlan-id ]
3-2
Caution:
z z
A Super VLAN cannot contain ports. After you set the VLAN type to super VLAN, the ARP proxy is automatically enabled on the VLAN port, and you do not need to configure the proxy. When a super VLAN exists, the ARP proxy should be enabled on the corresponding VLAN port. The default VLAN cannot be set to a super VLAN. You can add multiple ports (non-uplink port) to each sub VLAN. You cannot configure a virtual port for a sub VLAN. If the undo subvlan command does not include vlan-id, the mapping relationship between all sub VLANs and specified super VLANs is removed; if the undo subvlan command includes vlan-id, the mapping relationship between the specified sub VLANs and specified super VLANs is removed.
z z z z
In Super VLAN configuration, do not enable multicast VLAN and IGMP-snooping.
3.2.2 Super VLAN Configuration Example

Super VLAN 10 and sub VLANs VLAN 2, VLAN 3 and VLAN 5 need to be created. VLAN 2 contains ports 1 and 2; VLAN 3 contains ports 3 and 4; VLAN 5 contains ports 5 and 6. These sub VLANs are isolated at Layer 2. It is required that these sub VLANs communicate with one another at Layer 3.
II. Network diagram

Omitted

<H3C>system-view System View: return to User View with Ctrl+Z. [H3C] vlan 10 [H3C-vlan10] supervlan [H3C-vlan10] vlan 2 [H3C-vlan2] port ethernet3/1/1ethernet3/1/2 [H3C-vlan2]arp proxy enable [H3C-vlan2] vlan 3 [H3C-vlan3] port Ethernet3/1/3 ethernet3/1/4 [H3C-vlan3]arp proxy enable [H3C-vlan3] vlan 5 [H3C-vlan5] port ethernet3/1/5 ethernet3/1/6
3-3

[H3C-vlan5]arp proxy enable [H3C-vlan5] vlan 10 [H3C-vlan10] subvlan 2 3 5 [H3C-vlan10] interface vlan 10
[H3C-Vlan-interface10] ip address 10.110.1.1 255.255.255.0
3-4
Chapter 4 Isolate-user-VLAN Configuration

4.1 Isolate-user-VLAN Overview
Isolate-user-VLAN can save the VLAN resource in a network. It adopts the two-level VLAN architecture. One level is isolate-user-VLAN level, and the other is Secondary VLAN level, as shown in Figure 4-1.
z
An isolate-user-VLAN corresponds to multiple Secondary VLANs. It contains all the ports and upstream ports of the corresponding Secondary VLANs. In this way, a switch that is of upper level only needs recognizing the isolate-user-VLANs of the downstream switch instead of the Secondary VLANs, thereby streamlining the configuration and saving the VLAN source.
You can use isolate-user-VLAN to implement the isolation of the Layer-2 packets by assigning a Secondary VLAN for each user, with each of the Secondary VLANs containing the ports and the upstream ports connected to the user. You can configure the ports connected to different users to be of the same Secondary VLAN to enable these users to communicate with each other on Layer 2.
VLAN 5 (isolate-user-vlan) VLAN 6 (isolate-user-vlan)
VLAN 3 (Secondary VLAN ) VLAN 3 VLAN 2 (Secondary VLAN ) (Secondary VLAN )
VLAN 4 (Secondary VLAN )
Figure 4-1 Isolate-user-VLANs and Secondary VLANs
4.2 Configuration Tasks

Table 4-1 Isolate-user-VLAN configuration tasks Configuration tasks Configure an isolate-user-VLAN Configure Secondary VLAN Configure the mapping relationship between isolate-user-VLANs and Secondary VLANs Description Required Required Required Detailed configuration Refer to section 4.2.1 Refer to section 4.2.2 Refer to section 4.2.3
4-1
4.2.1 Configuring an isolate-user-VLAN

Table 4-2 Configure an isolate-user-VLAN Operation Enter system view Create a VLAN Configure the VLAN as an isolate-user-VLAN Command system-view vlan vlan-id isolate-user-vlan enable Required Required You cannot configure VLAN 1 as an isolate-user-VLAN Optional Add ports to the isolate-user-VLAN port interface-list An isolate-user-VLAN can contain multiple ports, including upstream ports connecting to other switches. However the contained ports can only be access or hybrid ports, not trunk ports. Description
4.2.2 Configuring a Secondary VLAN

Table 4-3 Configure a Secondary VLAN Operation Enter system view Create a VLAN as a Secondary VLAN Command system-view vlan vlan-id Required You cannot configure VLAN 1 as a Secondary VLAN. Optional port interface-list You can add multiple ports (not uplink ports) to a Secondary VLAN. Description
Add ports to the Secondary VLAN
4-2
Note:
z z z z
An isolate-user-VLAN can correspond to up to 64 Secondary VLANs. You can configure up to 32 isolate-user-VLANs for a system. You can configure up to 1,024 Secondary VLANs for a system. You cannot configure the same MAC address in a Secondary VLAN corresponding to an isolate-user-VLAN. If a VLAN is an isolate-user-VLAN or a Secondary VLAN, you cannot configure vlan-interface; a VLAN configured with vlan-interface cannot be configured as an isolate-user-VLAN or a Secondary VLAN.
4.2.3 Mapping an isolate-user-vlan to Secondary VLANs

Table 4-4 Map an isolate-user-VLAN to secondary VLANs Operation Enter system view Map an isolate-user-VLAN to secondary VLANs system-view isolate-user-vlan isolate-user-vlan-num secondary secondary-vlan-numlist [ to secondary-vlan-numlist ] Command Required Description
I. Note the following when mapping an isolate-user-vlan to Secondary VLANs

1)
z
If the isolate-user-VLAN contains ports For hybrid ports, if the default port VLAN ID is the same as the isolate-user-VLAN ID, and the port joins the isolate-user-VLAN in the Untagged mode, all the hybrid ports meeting the requirements will join the Secondary VLAN in the Untagged mode simultaneously. For those not meeting the requirements, no other processing will be made.
For an access port, the system will set the port as a hybrid port and set the default port VLAN ID and isolate-user-VLAN ID to be the same. Moreover, the port joins the isolate-user-VLAN and Secondary VLAN in the Untagged mode.
2)
z
If the Secondary VLAN contains ports For a hybrid port, if the default port VLAN ID is the same as the Secondary VLAN ID, and the port joins the Secondary VLAN in the Untagged mode, all the hybrid ports meeting the requirements will join the isolate-user-VLAN in the Untagged mode simultaneously. For those not meeting the requirements, no other processing will be made.
For an access port, the system will set the port as a hybrid port and set the default port VLAN ID and Secondary VLAN ID to be the same. Moreover, the port joins the isolate-user-VLAN and Secondary VLAN in the Untagged mode.
4-3
II. Note the following after mapping an isolate-user-VLAN to a Secondary VLAN

z
Trunk ports and access ports cannot join an isolate-user-VLAN or Secondary VLAN. Hybrid ports can join or exit from an isolate-user-VLAN and Secondary VLAN.
Note:
z
You cannot directly set an isolate-user-VLAN or Secondary VLAN as other type of VLAN than common VLAN, such as multicast VLAN, Super/Sub VLAN, Guest VLAN or VLAN running L2VPN services.
When you set a common VLAN as an isolate-user-VLAN or Secondary VLAN, the VLAN cannot contain trunk ports.
4.3 Displaying and Debugging an isolate-user-VLAN

After the above configuration, execute display command in any view to display the running of the isolate-user-VLAN configuration, and to verify the effect of the configuration. Table 4-5 Display and debug isolate-user-VLAN Operation Display the mapping relationship between the isolate-user-vlan and Secondary VLAN Command display isolate-user-vlan [ isolate-user-vlan-num ]
4.4 Isolate-user-VLAN Configuration Example

Switch A is connected to Switch B and Switch C in the downstream. 1) On Switch B
VLAN 5 is an isolate-user-VLAN, including an upstream port (Ethernet2/1/1 port) and two Secondary VLANs, VLAN2 and VLAN3. VLAN 2 includes Ethernet2/1/2 port and VLAN 3 includes Ethernet2/1/3 port. 2) On Switch C
VLAN 6 is an isolate-user-VLAN including an upstream port (Ethernet2/1/1 port) and two Secondary VLANs: VLAN3 and VLAN4. VLAN3 includes Ethernet2/1/3 port and VLAN4 includes Ethernet2/1/4 port.
4-4
Seen from the Switch A, either Switch B or Switch C carries one VLAN, VLAN 5 and VLAN 6 respectively.
II. Network diagram

Switch A vlan 6
vlan 5
E2/1/1 Switch B E2/1/3 E2/1/2 vlan 3 vlan 2 E2/1/3
E2/1/1 Switch C E2/1/4 vlan 3 vlan 4
Figure 4-2 Network diagram for isolate-user-VLAN

Only the configurations on the Switch B and Switch C are listed below. 1) Configuration on Switch B
# Configure an isolate-user-VLAN.
<H3C>system-view [H3C] vlan 5 [H3C-vlan5] isolate-user-vlan enable [H3C-vlan5] port ethernet2/1/1
# Configure Secondary VLANs.

[H3C-vlan5] vlan 3 [H3C-vlan3] port ethernet2/1/3 [H3C-vlan3] vlan 2 [H3C-vlan2] port ethernet2/1/2
# Configure the mapping relationship between the isolate-user-VLAN and the Secondary VLANs.
[H3C-vlan2] quit [H3C] isolate-user-vlan 5 secondary 2 to 3
2)
Configuration on Switch C
# Configure an isolate-user-VLAN.
<H3C>system-view [H3C] vlan 6 [H3C-vlan6] isolate-user-vlan enable [H3C-vlan6] port ethernet2/1/1
# Configure Secondary VLANs.
4-5

[H3C-vlan6] vlan 3 [H3C-vlan3] port ethernet2/1/3 [H3C-vlan3] vlan 4 [H3C-vlan4] port ethernet2/1/4
# Configure the mapping relationship between the isolate-user-VLAN and the Secondary VLANs.
[H3C-vlan4] quit [H3C] isolate-user-vlan 6 secondary 3 to 4
4-6
Chapter 5 Q-in-Q Configuration

5.1 Q-in-Q Overview
5.1.1 Introduction to Q-in-Q
Q-in-Q refers to the technology that enables packets to be transmitted across the operators backbone networks with VLAN tags of private networks nested in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks, which are nested in the VLAN tags of public networks, remain intact. Figure 5-1 describes the structure of the packets with single VLAN tags.
DA (6B) SA (6B) ETYPE(8100) User VLAN TAG (2B) (2B) ETYPE (2B) DATA (0-1500B) FCS (4B)
Figure 5-1 Structure of packets with private network VLAN tags Figure 5-2 describes the structure of the packets with nested VLAN tags.
DA (6B) SA (6B) ETY PE (2B) Nested VLAN TAG (2B) ETY PE (2B) User VLAN TAG ETY PE (2B) (2B) DATA (0~1500 B) FCS (4B)
Figure 5-2 Structure of packets with nested VLAN tags Compared with MPLS-based L2VPN, Q-in-Q has the following features:
z z
Layer 2 VPN tunnels that are simpler. Q-in-Q can be implemented without the support of signaling protocols. You can enable Q-in-Q by static configuring.
As Q-in-Q is implemented through trunk port defined in 802.1Q, all devices along tunnels with Q-in-Q employed must be 802.1Q-enabled. Therefore, Q-in-Q is suitable for small-sized metropolitan area networks (MANs) or intranets with Layer 3 switches operate as the core layer devices. Q-in-Q provides you with the following benefits:
z z
Saves public network VLAN IDs. You can have VLAN IDs of your own, which do not conflict with public network VLAN IDs. Provide simple Layer 2 VPN solutions for small-sized MANs or intranets.
5-1
5.1.2 Implementation of Q-in-Q

Q-in-Q can be implemented on S9500 series switches in the following two ways: 1) Enabling VLAN VPN feature on ports
With VLAN VPN enabled, a received packet is tagged with the default VLAN tag of the port no matter whether or not the packet carries a VLAN tag. Thus, if the packet already contains a tag, it will carry two tags; otherwise, the packet will carry the default VLAN tag. 2) Configuring traffic classification-based nested VLANs
You can implement Q-in-Q in a more flexible way by configuring traffic classification-based nested VLANs. You can specify to perform the following operations on packets that match specified ACL rules:
z z
Setting the outer VLAN tags Modifying the outer VLAN tags
5.1.3 Adjusting TPID Values of Q-in-Q Packets

Tag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q specifies the value of TPID to be 0x8100. The structure of the Tag field of an Ethernet frame defined by IEEE 802.1Q is as follows:
6 bytes DA 6 bytes SA 4 bytes Tag 46 ~1500 bytes Frame Load 4 bytes FCS
TPID 2 bytes
User Priority CFI 3 bits 1bit
VLAN ID 12 bits
Figure 5-3 The structure of the Tag field of an Ethernet frame By default, a S9500 series switch uses 0x8100 as the value of the TPID field, which is defined by IEEE 802.1Q. But S9500 series switches can also adjust the TPID values of Q-in-Q packets. This ensures S9500 series switches are compatible with devices coming from other vendors even through the later use other TPID values (such as 0x9100 or 0x9200) in the outer tags of Q-in-Q packets. To modify the TPID values of packets, you need to set the ports connecting to the public networks to be VLAN-VPN uplink ports, whose TPID value can be configured by users. After you configure a TPID value for a VLAN-VPN uplink port, the switch substitutes the new TPID values for those VLAN-VPN uplink ports in the outer tags carried by received
5-2
packets before transmitting the packet through the VLAN-VPN uplink ports to enable these packets to be accepted by devices of other vendors.
5.2 Configuration of VLAN VPN Feature on a Port

5.2.1 Configuration Prerequisites
z
GARP VLAN registration protocol (GVRP), spanning tree protocol (STP), and 802.1x protocol are disabled on the ports. IGMP Snooping is disabled in the VLAN to which the port belongs. IGMP is disabled in the VLAN interface to which the port belongs. This port must be an access port.
z z z
5.2.2 Configuration procedure

Table 5-1 Configure VLAN VPN for a port Configuration step Enter system view Enter view Ethernet port Command system-view interface interface-type interface-number By default, VLAN VPN is disabled on a port. Enable VLAN VPN vlan-vpn enable The port for which you enable VLAN VPN must be an Access port. Displayed information includes the current TPID value, VLAN-VPN port information, VLAN-VPN uplink port information. Description
Display VLAN VPN configuration information about all ports in the system
display port vlan-vpn
5-3
Caution:
z
VLAN VPN cannot be enabled if the port has any of the protocol among GVRP, STP, and 802.1x enabled. VLAN VPN cannot be enabled on a port if the VLAN which the port belongs to has IGMP Snooping enabled or its VLAN interface has IGMP enabled. Similarly, if a port is VLAN VPN-enabled, you cannot enable IGMP Snooping in the VLAN to which the port belongs or enable IGMP on the VLAN interface of the VLAN.
If a VLAN VPNenabled port is to be added into a VLAN, IGMP Snooping cannot be enabled on this VLAN, and IGMP cannot be enabled on its VLAN interface. If you have enabled VLAN VPN for the ports in the VLAN, the VLAN cannot be removed.
5.3 Traffic ClassificationBased Nested VLAN Configuration

5.3.1 Configuration prerequisites
z z
ACLs and corresponding rules to be applied already exist. The VLANs to be specified by the nested-vlanid argument already exist.
5.3.2 Configuration procedure

Table 5-2 Configure traffic classification-based nest vlan Configuration step Enter system view Enter Ethernet port view or port group view Command system-view interface interface-type interface-number or port-group index Description
5-4
Configuration step Deliver a Layer 3 traffic classification rule Deliver both Layer 2 and Layer 3 traffic classification rules Deliver a Layer 2 traffic classification rule Deliver a Layer 3 traffic classification rule Modify outer VLAN tags for the packets matching the ACL flow rules Deliver both Layer 2 and Layer 3 traffic classification rules Deliver a Layer 2 traffic classification rule
Command traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] nested-vlan nested-vlanid traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ] link-group { acl-number | acl-name } [ rule rule ] nested-vlan nested-vlanid traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] nested-vlan nested-vlanid traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] modified-vlan modified-vlanid traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ] link-group { acl-number | acl-name } [ rule rule ] modified-vlan modified-vlanid traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] modified-vlan modified-vlanid
Description
Set outer VLAN tags for the packets matching the ACL rules
The VLAN specified by nested-vlanid must exist; otherwise the packets will be discarded as then cannot find an egress.
This command modifies the outer VLAN tag of the packets.
Caution:
At present, only LSB1GP24D, LSB1GT24D and LSB1GV48D cards support the traffic-redirect { nested-vlan | modified-vlan } command..
5-5
5.3.3 Traffic Classification-Based Nested VLAN Configuration Example

z z z z
Switch A, Switch B and Switch C are S9500 routing switches. User networks are connected to Switch A and Switch C respectively. Switch B only permits packets of VLAN 11. Non-VLAN 11 packets can be exchange between Switch A and Switch C, and VLAN 10 packets can be exchange between the networks connected to the switches.
Note:
Assume that LSB1GP24D cards are installed in the slot 2 of Switch A and Switch C. And a card with any type of GE port is installed in slot 3 of Switch B.
II. Network diagram

GE2/1/1 (access VLAN 10) SwitchA GE2/1/2 (trunk permit VLAN 10,11)
GE3/1/2 (hybrid permit VLAN 11 untagged) SwitchB GE3/1/1 (hybrid permit VLAN 11 untagged)
GE2/1/2 (trunk permit VLAN 10,11) SwitchC GE2/1/1 (access VLAN 10)
Figure 5-4 Network diagram for traffic classification-based nested VLAN configuration

1) Configure Switch A and Switch C. The following is the configuration performed on Switch A. The configuration performed on Switch C is the same and thus is omitted. # Define ACLs and rules.
<SwitchA>system-view
5-6

System View: return to User View with Ctrl+Z. [SwitchA]vlan 11 [SwitchA-vlan11]quit [SwitchA]flow-template user-defined slot 2 vlanid [SwitchA]acl number 4000 [SwitchA-acl-link-4000]rule 0 permit ingress 10 [SwitchA-acl-link-4000]quit
# Configure the GigabitEthernet2/1/1 port.

[SwitchA]interface GigabitEthernet2/1/1 [SwitchA-GigabitEthernet2/1/1]port access vlan 10 [SwitchA-GigabitEthernet2/1/1]traffic-redirect inbound link-group 4000 rule 0 nested-vlan 11 [SwitchA-GigabitEthernet2/1/1]quit
# Configure GigabitEthernet2/1/2 port.

[SwitchA]interface GigabitEthernet2/1/2 [SwitchA-GigabitEthernet2/1/2]port link-type trunk [SwitchA-GigabitEthernet2/1/2]port trunk permit vlan 10 to 11
2)
Configure Switch B.

<SwitchB>system-view System View: return to User View with Ctrl+Z. [SwitchB]vlan 11 [SwitchB-vlan11]quit [SwitchB]interface GigabitEthernet3/1/1 [SwitchB-GigabitEthernet3/1/1]port link-type hybrid [SwitchB-GigabitEthernet3/1/1]port hybrid vlan 11 untagged [SwitchB-GigabitEthernet3/1/1]quit

[SwitchB]interface GigabitEthernet3/1/2 [SwitchB-GigabitEthernet3/1/2]port link-type hybrid [SwitchB-GigabitEthernet3/1/2]port hybrid vlan 11 untagged
5-7
Note:
Following describes how a packet is forwarded from Switch A to Switch C. z As packets sourced from VLAN 10 match rule 0 of the ACL 4000 configured on Switch A, a packet of this type is tagged with two VLAN tags when it flow in the GigabitEthernet2/1/1 port of Switch A. The outer VLAN tag is of VLAN 11 and the nested VLAN tag is of VLAN 10. z Switch A then forwards the tagged packet to Switch B through its GigabitEthernet2/1/2 port. z After receiving the packet through its GigabitEthernet3/1/2 port, Switch B forwards the packet in VLAN 11. As the GigabitEthernet3/1/1 port of Switch B, which is of hybrid type, belongs to VLAN 11 and VLAN 11 is configured as untagged on the port, switch B strip off the outer VLAN tag of the packet (the VALN tag of VLAN 11) when sending the packet through its GigabitEthernet3/1/1 port. z So the packet only carries one VLAN tag (VLAN tag of VLAN 10) with it when entering the GigabitEthernet2/1/2 port of Switch C, Switch C then sends the packet to its GigabitEthernet2/1/1 port by forwarding the packet in VLAN 10. It is the same case when forwarding a packet from Switch C to Switch A.
IV. Verification
The configuration is successful if packets sourced from the networks connected to Switch A can reach those connected to Switch C, or packets sourced from the networks connected to Switch C can reach those connected to Switch A.
5.4 Adjusting TPID Values for Q-in-Q Packets

5.4.1 Configuration Prerequisites
As VLAN-VPN uplink ports often works with the VLAN VPN ports, to enable a VLAN-VPN uplink port, make sure that VLAN VPN is not enabled on the port.
5-8
5.4.2 Configuration Tasks

Table 5-3 Adjust TPID values for Q-in-Q packets Configuration step Enter system view Command system-view The value argument ranges from 1 to 0xFFFF and defaults to 0x8100. vlan-vpn tpid value Do not set the TPID value to a value that causes conflicts, such as that of known protocol type. By default, a port is not a VLAN-VPN uplink port. Information about the current TPID value, VLAN-VPN ports and VLAN-VPN uplink ports is display. Description
Set a TPID value for the port
Enter Ethernet port view Set the port to be a VLAN-VPN uplink port. Display VLAN VPN configuration information about all ports in the system
interface interface-type interface-number vlan-vpn uplink enable
display port vlan-vpn
Caution:
z
At present, LSB1XP4 and LSB1TGX1 cards do not support the vlan-vpn uplink enable command. The vlan-vpn uplink enable and the vlan-vpn enable command are mutual exclusive. That is, if you execute the vlan-vpn enable command on a port, you will fail to execute the vlan-vpn uplink enable command on the same port; if you execute the vlan-vpn uplink enable command on a port, you will fail to execute the vlan-vpn enable command on the same port.
5.4.3 TPID Value Configuration Example

z
Switch A and Switch C are S9500 series switches. Switch B is a switch produced by other vendor. It uses TPID value of 0x9100. Two networks are connected to the GigabitEthernet2/1/1 ports of Switch A and Switch C respectively. Switch B only permits packets of VLAN 10.
5-9

z
It is desired that packets of VLANs other than VLAN 10 can be exchanged between the networks connected to Switch A and Switch C.
II. Network diagram

GE2/1/1 (access VLAN 10, VLAN VPN port) Switch A GE2/1/2 (trunk permit VLAN 10, VLAN-VPN uplink port)
GE3/1/2 (trunk permit VLAN 10 and TPID is 0x9100) Switch B GE3/1/1 (trunk permit VLAN 10 and TPID is 0x9100)
GE2/1/2 (trunk permit VLAN 10, VLAN-VPN uplink port) Switch C GE2/1/1 (access VLAN 10, VLAN VPN port)
Figure 5-5 Network diagram for adjusting TPID values
III. Configuration Procedure

1) Configure Switch A and Switch C. As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted. # Set the TPID value of the VLAN-VPN uplink port to 0x9100.
<SwitchA>system-view System View: return to User View with Ctrl+Z. [SwitchA]vlan-vpn tpid 9100 [SwitchA]vlan 10 [SwitchA-vlan10]quit
# Configure the GigabitEthernet2/1/2 port to be a VLAN-VPN uplink port and add it to VLAN 10 (a trunk port).
[SwitchA]interface GigabitEthernet2/1/2 [SwitchA-GigabitEthernet2/1/2]port link-type trunk [SwitchA-GigabitEthernet2/1/2]port trunk permit vlan 10 [SwitchA-GigabitEthernet2/1/2]vlan-vpn uplink enable
# Configure the GigabitEthernet2/1/1 port to be a VLAN VPN port and add it to VLAN 10 (an access port).
[SwitchA]interface GigabitEthernet2/1/1 [SwitchA-GigabitEthernet2/1/1]port access vlan 10 [SwitchA-GigabitEthernet2/1/1]vlan-vpn enable [SwitchA-GigabitEthernet2/1/1]quit
5-10
2)
Configure Switch B
Because Switch B is produced by other vendor, related commands may differ from those available to S9500 switches. So only the operation is listed, as shown below:
z
Configure GigabitEthernet3/1/1 and GigabitEthernet3/1/2 ports of Switch B to be trunk ports. Add the two ports to VLAN 10.
Note:
The following describes how a packet is forwarded from Switch A to Switch C. z As the GigabitEthernet2/1/1 port of Switch A is a VLAN VPN port, when a packet reaches GigabitEthernet2/1/1 port of Switch A, it is tagged with the default VLAN tag (VLAN 10, the outer tag) and is then forwarded to GigabitEthernet2/1/2 port. z Because GigabitEthernet2/1/2 port is a VLAN-VPN uplink port with a TPID of 0x9100, Switch A changes the TPID value in the outer VLAN Tag of the packet to 0x9100, and forwards the packet to the public network. z The packet reaches GigabitEthernet3/1/2 port of Switch B. Switch B sends the packet to its GigabitEthernet3/1/1 port by forwarding the packet in VLAN 10. z The packet is forward from GigabitEthernet3/1/1 port of Switch B to the network on the other side and enters GigabitEthernet2/1/2 port of Switch C, Switch C sends the packet to its GigabitEthernet2/1/1 port by forwarding the packet in VLAN 10. As GigabitEthernet2/1/1 port is an access port, Switch C strip off the outer VLAN tag of the packet and restores the original packet. It is the same case when a packet travel from Switch C to Switch A.
IV. Verification
The configuration is successful if packets sourced from the networks connected to Switch A can reach those connected to Switch C, or packets sourced from the networks connected to Switch C can reach those connected to Switch A.
5-11

Operation Manual - Vlan-Qinq H3C S9500 Series Routing Switches

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Operation Manual - Vlan-Qinq H3C S9500 Series Routing Switches

Transféré par

Droits d'auteur :

Formats disponibles

Operation Manual VLAN-QinQ H3C S9500 Series Routing Switches