Understanding Layer 2 Protocol Tunneling
- On the ingress Provider Edge (PE) of the ISP network, the destination multicast MAC address of a Layer 2 protocol packet is replaced with a specified multicast MAC address.
- The devices on the ISP network determine whether to process the protocol packet based on the configured transparent transmission mode.
- When the Layer 2 protocol packet reaches the egress, the PE restores the destination multicast MAC address of the Layer 2 protocol packet to the standard destination multicast MAC address based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol configured on the device. The egress PE also determines whether to process the packet based on the configured transparent transmission mode.
To transparently transmit Layer 2 protocol packets on the ISP network, ensure that the following requirements are met:
Each branch of a user network must be able to receive the Layer 2 protocol packets from other branches.
The CPUs of the devices on the ISP network must not process Layer 2 protocol packets from a user network.
Layer 2 protocol packets from different user networks must be isolated and not affect each other.
Huawei devices support the following Layer 2 protocol tunneling modes in different scenarios:
Interface-based Layer 2 protocol tunneling
VLAN-based Layer 2 protocol tunneling
Basic QinQ-based Layer 2 protocol tunneling
Interface-based Layer 2 Protocol Tunneling
As shown in Figure 14-2, each interface on a PE connects to one user network. The user networks do not belong to the same LAN. If BPDUs received from user networks do not carry any VLAN tag, the PE must identify the LAN that the BPDUs come from. BPDUs of a user network in LAN-A must be sent to other user networks in LAN-A. In addition, BPDUs must not be processed by devices on the ISP network. To meet the preceding requirements, configure interface-based Layer 2 protocol tunneling on backbone network edge devices and replace the original multicast MAC address of Layer 2 protocol packets from user networks with a specified multicast MAC address.
On the device of the ISP network, add the interfaces that connect to the same user network to the same VLAN. After receiving and identifying the Layer 2 protocol packet (such as a BPDU of the STP protocol) from the user network, the device on the ISP network adds the default VLAN ID of the interface to the Layer 2 protocol packet.
Based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard destination multicast MAC address of the Layer 2 protocol packet with the specified destination multicast MAC address.
Internal nodes on the ISP network forward the packet through the ISP network as a common Layer 2 packet.
The egress PE on the ISP network restores the original standard destination MAC address of the packet based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
On the device of the ISP network, add the interfaces that connect to the same user network to the same VLAN. After receiving and identifying the Layer 2 protocol packet (such as a BPDU of the STP protocol) from the user network, the device on the ISP network adds the default VLAN ID of the interface to the Layer 2 protocol packet.
Based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard destination multicast MAC address of the Layer 2 protocol packet with the specified destination multicast MAC address.
Internal nodes on the ISP network forward the packet through the ISP network as a common Layer 2 packet.
The egress PE on the ISP network restores the original standard destination MAC address of the packet based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
VLAN-based Layer 2 Protocol Tunneling
In most cases, a PE serves as an aggregation device. As shown in Figure 14-3, the aggregation interface on PE1 receives Layer 2 protocol packets from LAN-A and LAN-B. To differentiate BPDUs from two LANs, BPDUs sent from CEs to PEs must have VLAN tags. Packets sent from LAN-A contain VLAN ID 200 and packets sent from LAN-B contain VLAN ID 100. BPDUs of a user network in LAN-A must be forwarded to other user networks in LAN-A, but not to user networks in LAN-B. In addition, BPDUs cannot be processed by PEs on the ISP network. In this case, you can configure VLAN-based Layer 2 protocol tunneling on PEs, so that Layer 2 protocol packets can traverse the ISP network through Layer 2 tunnels.
Similar to interface-based Layer 2 protocol tunneling, you can use the following methods to implement VLAN-based Layer 2 protocol tunneling:
Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to the ISP network.
When STP BPDUs are sent from the user network to the backbone network, run the stp bpdu vlan command to enable the CE to encapsulate the specified VLAN ID in outgoing STP BPDUs.
Enable the devices on the ISP network to identify Layer 2 protocol packets with the specified VLAN IDs and allow these packets to pass.
Based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard destination multicast MAC address of the Layer 2 protocol packet with the specified destination multicast MAC address.
Internal nodes on the ISP network forward the packets through the ISP network as common Layer 2 packets.
The egress PE on the ISP network restores the original standard destination MAC address of the packet based on the mapping between the specified destination multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
Basic QinQ-based Layer 2 Protocol Tunneling
If Layer 2 protocol packets are still transmitted transparently in VLAN-based mode when many user networks are connected to the ISP network, a large number of VLAN IDs of the ISP network are required. This may result in insufficient VLAN ID resources. To conserve VLAN IDs, you can configure QinQ-based Layer 2 protocol tunneling to forward Layer 2 protocol packets on the ISP network.
The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. QinQ technology improves utilization of VLANs by adding another 802.1Q tag to a packet, allowing services on a private VLAN to be transparently transmitted to the public network.
The ingress device on the backbone network adds a different outer VLAN tag (public VLAN ID) to the received Layer 2 protocol packets based on the inner VLAN IDs (user VLAN IDs) carried in the Layer 2 protocol packets.
The ingress device replaces the multicast destination MAC address in the Layer 2 protocol packets with a specified multicast MAC address based on the configured mapping between the multicast destination MAC address and the specified multicast MAC address.
The ingress device transmits the Layer 2 protocol packets with a specified multicast MAC address through different Layer 2 tunnels based on the outer VLAN IDs. The internal devices on the backbone network forward the Layer 2 protocol packets with a specified multicast MAC address to the egress devices.
The egress devices restore the original destination MAC address in the Layer 2 protocol packets based on the configured mapping between the multicast destination MAC address and the specified multicast address, remove the outer VLAN tags, and send the Layer 2 protocol packets to the user networks based on the inner VLAN IDs.