Typical QinQ Configuration
Example for Configuring Basic QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network.
Basic QinQ, also called QinQ tunneling, is performed on interfaces. When an interface enabled with basic QinQ receives a packet, the device adds the default VLAN tag of its interface to the packet. If the received packet is tagged, it has double VLAN tags. If the received packet is untagged, it has the default VLAN tag of the interface.
When too many VLANs are required, you can configure basic QinQ. Basic QinQ, by adding an outer tag, expands VLAN space and solves the VLAN shortage problem.
Networking Requirements
As shown in Figure 3-89, a network has two enterprises: enterprise 1 and enterprise 2. Both enterprises have two branches. Enterprise 1 and enterprise 2 networks connect to SwitchA and SwitchB, respectively, of the ISP network. In addition, there are non-Huawei devices on the public network and the TPID in the outer VLAN tag is 0x9100.
- VLANs need to be independently assigned to enterprise 1 and enterprise 2.
- Traffic between the two branches of each enterprise is transparently transmitted through the public network. Users accessing the same service in different branches of each enterprise are allowed to communicate, and users accessing different services must be isolated.
Configuration Roadmap
The configuration roadmap is as follows:
Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure connected interfaces as QinQ interfaces, and add the interfaces to VLANs so that different VLAN tags are added to packets of different services.
Add interfaces of SwitchA and SwitchB that are connected to the public network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed to pass through.
Configure the TPID in the outer VLAN tag on interfaces of SwitchA and SwitchB that are connected to the public network so that SwitchA and SwitchB can communicate with non-Huawei devices.
Procedure
- Create VLANs.
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 200
# Create VLAN 100 and VLAN 200 on SwitchB.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 100 200
- Set the link type of interfaces to QinQ.
# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the default VLAN of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN 200. VLAN 100 and VLAN 200 are added to outer tags. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link type of the interface as QinQ. [SwitchA-GigabitEthernet1/0/1] port default vlan 100 [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link type of the interface as QinQ. [SwitchA-GigabitEthernet1/0/2] port default vlan 200 [SwitchA-GigabitEthernet1/0/2] quit
- Configure switch interfaces connected to the public network.
# Add GE1/0/3 on Switch A to VLAN 100 and VLAN 200. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200 [SwitchA-GigabitEthernet1/0/3] quit
- Configure the TPID in the outer VLAN tag.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchB.
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.
- Verify the configuration.
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of the other branch in enterprise 1. The ping operation succeeds, indicating that branches of enterprise 1 can communicate with each other.
On a PC in a VLAN of a branch in enterprise 2, ping a PC in the same VLAN of the other branch in enterprise 2. The ping operation succeeds, indicating that branches of enterprise 2 can communicate with each other.
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of a branch in enterprise 2. The ping operation fails, indicating that enterprise 1 and enterprise 2 are isolated.
Configuration Files
Configuration file of SwitchA
# sysname SwitchA # vlan batch 100 200 # interface GigabitEthernet1/0/1 port link-type dot1q-tunnel port default vlan 100 # interface GigabitEthernet1/0/2 port link-type dot1q-tunnel port default vlan 200 # interface GigabitEthernet1/0/3 qinq protocol 9100 port link-type trunk port trunk allow-pass vlan 100 200 # return
Configuration file of SwitchB
# sysname SwitchB # vlan batch 100 200 # interface GigabitEthernet1/0/1 port link-type dot1q-tunnel port default vlan 100 # interface GigabitEthernet1/0/2 port link-type dot1q-tunnel port default vlan 200 # interface GigabitEthernet1/0/3 qinq protocol 9100 port link-type trunk port trunk allow-pass vlan 100 200 # return
Example for Configuring VLAN ID-based Selective QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network.
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of basic QinQ, selective QinQ takes different actions for packets received by the same interface based on VLANs.
VLAN ID-based selective QinQ adds different outer VLAN tags to packets with different inner VLAN IDs.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
- Before configuring selective QinQ on a fixed switch, you must run the qinq vlan-translation enable command to enable VLAN translation.
- You are advised to configure selective QinQ on a hybrid interface. Selective QinQ can take effect on the interface only in the inbound direction.
- The outer VLAN must be created before Selective QinQ is performed.
- When an interface configured with VLAN stacking needs to remove the outer tag from outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode.
- The device configured with selective QinQ can add only one outer VLAN tag to a frame with an inner VLAN tag on an interface.
- If only single-tagged packets from a VLAN need to be transparently transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
- VLAN mapping
(for example, port vlan-mapping vlan 20 map-vlan 20) must be
configured to map the VLAN to itself from which single-tagged packets
need to be transparently transmitted after selective QinQ is configured
on the following cards and devices:
ES0D0G24SA00, ES0D0G24CA00, EH1D2G24SSA0, and EH1D2S24CSA0 cards
- S5700-EI, S3700-EI, and S3700-SI
- This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-90, Internet access users (using PCs) and VoIP users (using VoIP phones) connect to the ISP network through SwitchA and SwitchB and communicate with each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3 respectively when the packets are transmitted through the ISP network.
Configuration Roadmap
The configuration roadmap is as follows:
Create VLANs on SwitchA and SwitchB.
Configure link types of interfaces and add interfaces to VLANs on SwitchA and SwitchB.
Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
- Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be added.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be added.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 2 3
- Configure selective QinQ on interfaces.
When a fixed switch is used, you must run the qinq vlan-translation enable command in the interface view to enable VLAN translation.
# Configure GE1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in untagged mode. [SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag as VLAN 100 and add VLAN 2 in the outer VLAN tag. [SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag as VLAN 300 and add VLAN 3 in the outer VLAN tag. [SwitchA-GigabitEthernet1/0/1] quit
# Configure GE1/0/1 on SwitchB.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type hybrid [SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in untagged mode. [SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag as VLAN 100 and add VLAN 2 in the outer VLAN tag. [SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag as VLAN 300 and add VLAN 3 in the outer VLAN tag. [SwitchB-GigabitEthernet1/0/1] quit
- Configure other interfaces.
# Add GE1/0/2 on SwitchA to VLAN 2 and VLAN 3.
[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchA-GigabitEthernet1/0/2] quit
# Add GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchB-GigabitEthernet1/0/2] quit
- Verify the configuration.
If the configurations on SwitchA and SwitchB are correct, you can obtain the following information:
PCs can communicate with each other through the ISP network.
VoIP phones can communicate with each other through the ISP network.
Configuration Files
Configuration file of SwitchA
# sysname SwitchA # vlan batch 2 to 3 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 stack-vlan 2 port vlan-stacking vlan 300 stack-vlan 3 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
Configuration file of SwitchB
# sysname SwitchB # vlan batch 2 to 3 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid untagged vlan 2 to 3 port vlan-stacking vlan 100 stack-vlan 2 port vlan-stacking vlan 300 stack-vlan 3 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
Example for Configuring Flow-based Selective QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network.
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of basic QinQ, selective QinQ takes different actions for packets received by the same interface based on VLANs.
Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can provide differentiated services based on service types.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
- You are advised to configure selective QinQ on a hybrid interface. Selective QinQ can take effect on the interface only in the inbound direction.
- The outer VLAN must be created before Selective QinQ is performed.
- When an interface configured with VLAN stacking needs to remove the outer tag from outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode.
- The device configured with selective QinQ can add only one outer VLAN tag to a frame with an inner VLAN tag on an interface.
- If only single-tagged packets from a VLAN need to be transparently transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
- This example applies to all versions of the modular switches.
Networking Requirements
As shown in Figure 3-91, Internet access users (using PCs) and VoIP users (using VoIP phones) connect to the ISP network through SwitchA and SwitchB and communicate with each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3 respectively when the packets are transmitted through the ISP network. Flow-based selective QinQ can be configured to meet the requirement.
Configuration Roadmap
The configuration roadmap is as follows:
Create VLANs on SwitchA and SwitchB.
Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and SwitchB.
Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to VLANs.
Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective QinQ.
Procedure
- Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be added.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be added.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 2 3
- Configure traffic classifiers, traffic behaviors, and traffic
policies on SwitchA and SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1. [SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets from VLANs 100 to 200. [SwitchA-classifier-name1] quit [SwitchA] traffic behavior name1 //Configure a traffic behavior named name1. [SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id. [SwitchA-behavior-name1] quit [SwitchA] traffic classifier name2 //Configure a traffic classifier named name2. [SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets from VLANs 300 to 400. [SwitchA-classifier-name2] quit [SwitchA] traffic behavior name2 //Configure a traffic behavior named name2. [SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id. [SwitchA-behavior-name2] quit [SwitchA] traffic policy name1 //Configure a traffic policy named name1. [SwitchA-trafficpolicy-name1] classifier name1 behavior name1 [SwitchA-trafficpolicy-name1] classifier name2 behavior name2 [SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1. [SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets from VLANs 100 to 200. [SwitchB-classifier-name1] quit [SwitchB] traffic behavior name1 //Configure a traffic behavior named name1. [SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id. [SwitchB-behavior-name1] quit [SwitchB] traffic classifier name2 //Configure a traffic classifier named name2. [SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets from VLANs 300 to 400. [SwitchB-classifier-name2] quit [SwitchB] traffic behavior name2 //Configure a traffic behavior named name2. [SwitchB-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id. [SwitchB-behavior-name2] quit [SwitchB] traffic policy name1 //Configure a traffic policy named name1. [SwitchB-trafficpolicy-name1] classifier name1 behavior name1 [SwitchB-trafficpolicy-name1] classifier name2 behavior name2 [SwitchB-trafficpolicy-name1] quit
- Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective
QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 [SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the interface in the inbound direction. [SwitchA-GigabitEthernet1/0/1] quit
# Configure GE1/0/1 on SwitchB.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type hybrid [SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 [SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the interface in the inbound direction. [SwitchB-GigabitEthernet1/0/1] quit
- Configure other interfaces.
# Add GE1/0/2 on SwitchA to VLAN 2 and VLAN 3.
[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchA-GigabitEthernet1/0/2] quit
# Add GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 [SwitchB-GigabitEthernet1/0/2] quit
- Verify the configuration.
If the configurations on SwitchA and SwitchB are correct, you can obtain the following information:
PCs can communicate with each other through the ISP network.
VoIP phones can communicate with each other through the ISP network.
Configuration Files
Configuration file of SwitchA
# sysname SwitchA # vlan batch 2 to 3 # traffic classifier name1 operator or precedence 5 if-match vlan-id 100 to 200 traffic classifier name2 operator or precedence 10 if-match vlan-id 300 to 400 # traffic behavior name1 permit nest top-most vlan-id 2 traffic behavior name2 permit nest top-most vlan-id 3 # traffic policy name1 match-order config classifier name1 behavior name1 classifier name2 behavior name2 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return
Configuration file of SwitchB
# sysname SwitchB # vlan batch 2 to 3 # traffic classifier name1 operator or precedence 5 if-match vlan-id 100 to 200 traffic classifier name2 operator or precedence 10 if-match vlan-id 300 to 400 # traffic behavior name1 permit nest top-most vlan-id 2 traffic behavior name2 permit nest top-most vlan-id 3 # traffic policy name1 match-order config classifier name1 behavior name1 classifier name2 behavior name2 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid untagged vlan 2 to 3 traffic-policy name1 inbound # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # return