NetEngine 8000 F1A V800R022C00SPC600 Configuration Guide

QinQ Configuration

QinQ Description
QinQ Configuration

QinQ Description

Overview of QinQ

Definition

802.1Q-in-802.1Q (QinQ) is a technology that adds another layer of IEEE 802.1Q tag to the 802.1Q tagged packets entering the network. This technology expands the VLAN space by tagging the tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network.

Purpose

During intercommunication between Layer 2 LANs based on the traditional IEEE 802.1Q protocol, when two user networks access each other through a carrier network, the carrier must assign VLAN IDs to users of different VLANs, as shown in Figure 1-693. User Network1 and User Network2 access the backbone network through PE1 and PE2 of a carrier network respectively.

Figure 1-693 Intercommunication between Layer 2 LANs using the traditional IEEE 802.1Q protocol

To connect VLAN 100 - VLAN 200 on User Network1 to VLAN 100 - VLAN 200 on User Network2, interfaces connecting CE1, PE1, the P, PE2, and CE2 can be configured to function as trunk interfaces and to allow packets from VLAN 100 - VLAN 200 to pass through.

This configuration, however, makes user VLANs visible on the backbone network and wastes the carrier's VLAN ID resources (4094 VLAN IDs are used). In addition, the carrier has to manage user VLAN IDs, and users do not have the right to plan their own VLANs.

The 12-bit VLAN tag defined in IEEE 802.1Q identifies only a maximum of 4096 VLANs, unable to isolate and identify mass users in the growing metro Ethernet (ME) network. QinQ is therefore developed to expand the VLAN space by adding another 802.1Q tag to an 802.1Q tagged packet. In this way, the number of VLANs increases to 4096 x 4096.

In addition to expanding VLAN space, QinQ is applied in other scenarios with the development of the ME network and carriers' requirements on refined operation. The outer and inner VLAN tags can be used to differentiate users from services. For example, the inner tag represents a user, while the outer tag represents a service. Moreover, QinQ functions as a simple and practical VPN technology by transparently transmitting private VLAN services over a public network. It extends services of a core MPLS VPN to the ME network and implements an end-to-end VPN.

Since the QinQ technology is easy to use, it has been widely applied on ISP networks. For example, it is used by multiple services on the metro Ethernet. As the metro Ethernet develops, different vendors propose their own metro Ethernet solutions. QinQ with its simplicity and flexibility, plays important roles in metro Ethernet solutions.

Benefits

QinQ offers the following benefits:

Extends VLANs to isolate and identify more users.
Facilitates service deployment by allowing the inner and outer tags to represent different information. For example, use the inner tag to identify a user and the outer tag to identify a service.
Allows ISPs to implement refined operation by providing diversified encapsulation and termination modes.

Understanding QinQ

Basic Concepts

QinQ is a technology used to expand VLAN space by adding another 802.1Q VLAN tag to a tagged 802.1Q packet. To accommodate to the ME network development, QinQ becomes diversified in its encapsulation and termination modes and is more intensely applied in service refined operation. The following describes the format of a QinQ packet, QinQ encapsulation on an interface, and QinQ termination on a sub-interface.

QinQ Packet Format

A QinQ packet has a fixed format. In the packet, another 802.1Q tag is added before an 802.1Q tag. A QinQ packet is 4–byte longer than a common 802.1Q packet.

Figure 1-694 shows 802.1Q encapsulation.

Figure 1-694 QinQ packet format

QinQ packets carry two VLAN tags when they are transmitted across a carrier network. The meanings of the two tags are described as follows:

Inner VLAN tag: private VLAN tag that identifies the VLAN to which a user belongs.
Outer VLAN tag: public VLAN tag that is assigned by a carrier to a user.

QinQ Encapsulation

QinQ encapsulation is to add another 802.1Q tag to a single-tagged packet. QinQ encapsulation is usually performed on UPE interfaces connecting to users.

Currently, only interface-based QinQ encapsulation is supported. Interface-based QinQ encapsulation, also known as QinQ tunneling, encapsulates packets that enter the same interface with the same outer VLAN tag. This encapsulation mode cannot flexibly distinguish between users and services.

Sub-interface for VLAN Tag Termination

In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

After an interface receives a packet with one or two VLAN tags, the device removes the VLAN tags and forwards the packet at Layer 3. The outbound interface decides whether to add one or two VLAN tags to the packet.
Before an interface forwards a packet, the device adds the planned VLAN tag to the packet.

The following section describes the termination types, the VLAN tag termination sub-interfaces, and the applications of VLAN tag termination.

Termination type
VLAN packets are classified into dot1q packets, which carry only one VLAN tag, and QinQ packets, which carry two VLAN tags. Accordingly, there are two VLAN tag termination modes:
- Dot1q termination: terminates packets that carry one VLAN tag.
- QinQ termination: terminates packets that carry two VLAN tags.
VLAN tag termination sub-interfaces
Dot1q/QinQ termination is conducted on sub-interfaces.
- Sub-interface for dot1q VLAN tag termination
  
  A sub-interface that terminates packets carrying one VLAN tag.
- Sub-interface for QinQ VLAN tag termination
  
  A sub-interface that terminates packets carrying two VLAN tags.
  Sub-interfaces for QinQ VLAN tag termination are classified into the following types:
  - Explicit sub-interface for QinQ VLAN tag termination: The pair of VLAN tags specifies two VLANs.
  - Implicit sub-interface for QinQ VLAN tag termination: The pair of VLAN tags specifies two ranges of VLANs.
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of packets that do not contain a VLAN tag, and discard received packets that do not contain a VLAN tag.
Applications of VLAN tag termination
- Inter-VLAN communication
  The VLAN technology is widely used because it allows Layer 2 packets of different users to be transmitted separately. With the VLAN technology, a physical LAN is divided into multiple logical broadcast domains (VLANs). Hosts in the same VLAN can communicate with each other at Layer 2, but hosts in different VLANs cannot. The Layer 3 routing technology is required for communication between hosts in different VLANs. The following interfaces can be used to implement inter-VLAN communication:
  - Layer 3 Ethernet interfaces on routers
    
    Conventional Layer 3 Ethernet interfaces do not identify VLAN packets. After receiving VLAN packets, they consider the packets invalid and discard them. To implement inter-VLAN communication, create Ethernet sub-interfaces on an Ethernet interface and configure the sub-interfaces to remove tags from VLAN packets.
- Communication between devices in the LAN and WAN
  
  Most LAN packets carry VLAN tags. Certain wide area network (WAN) protocols, such as Point-to-Point Protocol (PPP), cannot identify VLAN packets. Before forwarding VLAN packets from a LAN to a WAN, a device needs to record the VLAN information carried in the VLAN packets and then remove the VLAN tags.
  
  When a device receives packets, it adds the locally stored VLAN information to the packets and forwards them to VLAN users.

User-VLAN Sub-interface

User-VLAN sub-interfaces are used for user access to a BRAS. Different user-VLAN sub-interfaces can be configured on an interface for different VLAN users. After users' VLAN packets arrive on a BRAS, the BRAS can differentiate user services based on the VLAN IDs in the packets and then use proper authentication and address allocation methods for the users. After that, the BRAS sends users' VLAN packets to a RADIUS server for user location identification.

After user-VLAN sub-interfaces on a BRAS receive matching packets, they remove VLAN tags and then forward the packets at Layer 3.

Incoming packets supported by user-VLAN sub-interfaces fall into the following categories:
- Single-tagged VLAN packets
  
  User-VLAN sub-interfaces remove the single VLAN tags and forward the packets at Layer 3.
- Double-tagged VLAN packets
  
  User-VLAN sub-interfaces remove the double VLAN tags and forward the packets at Layer 3.
  
  The outer and inner VLAN tags in double-tagged packets identify services and users, respectively.
- Any-other packets
  
  If packets received on user-VLAN sub-interfaces are neither single-tagged nor double-tagged VLAN packets permitted by the sub-interfaces, these packets are forwarded by user-VLAN sub-interfaces of any-other type at Layer 3.
VE interfaces do not support packets of any-other type.
Usage scenario of user-VLAN sub-interfaces

An IP core network cannot identify VLAN tags in user packets. If VLAN users need to access an IP core network through a BRAS over a Layer 2 network, user-VLAN sub-interfaces can be configured on the BRAS to remove the VLAN tags. If VLAN users need to access an IP core network through a BRAS over a Layer 3 network, Dot1q or QinQ VLAN tag termination sub-interfaces can be configured on the BRAS to remove the VLAN tags.

QinQ Tunneling

QinQ tunneling increases the number of VLANs by adding a same outer VLAN tag to tagged packets that enter the same interface.

On the network shown in Figure 1-695, Company 1 has two branches which are connected to PE1, and Company 2 has three branches. Two of them are connected to PE2, and the third one is connected to PE1. Company 1 and Company 2 can plan their own VLANs.

Figure 1-695 QinQ tunneling

To allow branches to communicate within Company 1 or Company 2 but not between the two companies, configure QinQ tunneling on PE1 and PE2. The configuration roadmap is as follows:

On PE1, user packets entering Port 1 and Port 3 are encapsulated with an outer VLAN tag 10, and user packets entering Port 2 are encapsulated with an outer VLAN tag 20.
On PE2, user packets entering Port 1 and Port 2 are encapsulated with an outer VLAN tag 20.
Port 4 on PE1 and Port 3 on PE2 allow the packets tagged with VLAN 20 to pass.

Table 1-367 shows planning of outer VLAN tags of Company 1 and Company 2.

Table 1-367 Outer VLAN tag planning of Company 1 and Company 2

Company Name	VLAN ID Range	Outer VLAN ID
Company 1	2 to 500	10
Company 2	500 to 4094	20

Layer 2 Selective QinQ

Layer 2 selective QinQ is an extension of QinQ tunneling but is more flexible. The major difference is as follows:

QinQ tunneling adds the same outer tag to the frames that enter a QinQ interface.
Layer 2 selective QinQ adds distinctive outer tags to the frames that enter a QinQ interface according to inner tags.

On the network shown in Figure 1-696, Company 1 and Company 2 have more than one branch.

VLAN 2 to VLAN 500 are used on the networks of Company 1.
VLAN 501 to VLAN 4094 are used on the networks of Company 2.
Interface 1 on PE1 both receives packets from VLANs of Company 1 and Company 2.

Figure 1-696 Layer 2 selective QinQ

To allow branches to communicate within Company 1 or Company 2 but not between the two companies, configure Layer 2 selective QinQ on PE1 and PE2.

Table 1-368 shows the planning of outer VLAN tags in the packets entering different interfaces on PE1 and PE2.

Table 1-368 Outer VLAN tag planning on PE1 and PE2

Device Name	Interface Name	VLAN ID Range	Outer VLAN ID
PE1	Interface 1	2 to 500	10
	Interface 1	1000 to 2000	20
	Interface 2	100 to 500	10
PE2	Interface 1	1000 to 4094	20
PE2	Interface 2	501 to 2500	20

Interface 3 on PE1 or PE2 allows the packets tagged with VLAN 20 to pass.

VLAN Stacking

VLAN stacking is a Layer 2 technology that encapsulates different outer VLAN tags for different user VLANs.

On a carrier's access network, user packets need to be differentiated according to users' applications, access points, or access devices. VLAN stacking is introduced to differentiate users by adding outer VLAN tags to user packets based on user packets' inner tags or IP or MAC addresses.

A VLAN stacking interface adds different outer VLAN tags to its received packets and strips the outer VLAN tags from the packets to be sent.

Compatibility of EtherTypes in QinQ Tags

As shown in Figure 1-697, an IEEE 802.1Q tag lies between the Source Address field and the Length/Type field. The default EtherType value in the 2–byte Tag Protocol Identifier (TPID) is 0x8100. If the EtherType value of a packet is 0x8100, the packet is tagged. The EtherType value in a QinQ packet varies with the settings of device manufactures. Huawei devices use the default value 0x8100 while some non-Huawei devices use 0x9100 as the EtherType value. To implement interworking between Huawei devices and non-Huawei devices, you need to configure compatibility of EtherTypes in inner and outer tags of QinQ packets sent by the devices of different vendors.

Figure 1-697 802.1Q encapsulation
Click to enlarge

In Figure 1-698, Device A is a non-Huawei device that uses 0x9100 as the EtherType value, and Device B is a Huawei device which uses 0x8000 as the EtherType value. To implement interworking between the Huawei and the non-Huawei devices, configure 0x9100 as the EtherType value in the outer VLAN tag of QinQ packets sent by the Huawei device.

Figure 1-698 Compatibility of EtherTypes in QinQ tags

QinQ-based VLAN Tag Swapping

On the network shown in Figure 1-699, a UPE receives user packets that carry double packets from a DSLAM. The inner and outer tags represent the service and user, respectively. However, the UPE only supports packets whose outer tag represents the service and inner tag represents the user. In this situation, you can configure VLAN tag swapping on the UPE to swap the inner and outer tags.

After VLAN tag swapping is configured, once the UPE receives packets with double VLAN tags, it swaps the inner and outer VLAN tags. VLAN tag swapping does not take effect on packets carrying a single tag.

Figure 1-699 QinQ-based VLAN tag swapping

PE-AGG: PE-Aggregation	DSLAM: digital subscriber line access multiplexer
Service POP: service points-of-presence	IPTV: Internet Protocol Television
UPE: underlayer provider edge	HSI: high-speed Internet
RG: residential gateway	VOIP: Voice over Internet Protocol

QinQ Mapping

Principles

QinQ mapping maps VLAN tags in user packets to specified tags before the user packets are transmitted across the public network.

Before sending local VLAN frames, a sub-interface replaces the tags in the local frames with external VLAN tags.
Before receiving frames from external VLANs, a sub-interface replaces the tags in the external VLANs with local VLAN tags.

QinQ mapping allows a device to map a user VLAN tag to a carrier VLAN tag, shielding different user VLAN IDs in packets.

QinQ mapping is deployed on edge devices of a Metro Ethernet. It is applied in but not limited to the following scenarios:

VLAN IDs deployed at new sites and old sites conflict, but new sites need to communicate with old sites.
VLAN IDs planned by each site on the public network conflict. These sites do not need to communicate.
VLAN IDs on both ends of the public network are asymmetric.

Currently, only 1 to 1 QinQ mapping is supported. When a QinQ mapping-enabled sub-interface receives a single-tagged packet, the sub-interface replaces the VLAN ID in the frame with a specified VLAN ID.

Figure 1-700 QinQ mapping
Click to enlarge

As shown in Figure 1-700, 1 to 1 QinQ mapping is configured on Sub-interfaces 1 on Switch 2 and Switch 3. If PC1 wants to communicate with PC2:

PC1 sends a frame to Switch 1.
Upon receipt, Switch 1 adds VLAN ID 10 to the frame, and forwards the frame to Switch 2. After Sub-interface1 on Switch 2 receives the frame with VLAN ID 10, Sub-interface 1 on Switch 2 replaces VLAN ID 10 with carrier VLAN ID 50. Interface 2 on Switch 2 then sends the frame with carrier VLAN ID 50 to the Internet service provider (ISP) network.
The ISP network transparently transmits the frame.
After Sub-interface 1 on Switch 3 receives the tagged frame from Switch 2, Sub-interface 1 on Switch 3 replaces the carrier VLAN ID 50 with VLAN ID 30.

PC2 communicates with PC1 in a similar manner.

Comparison Between QinQ Mapping and VLAN Mapping

Table 1-369 describes the comparison between QinQ mapping and VLAN mapping.

Table 1-369 Comparison between QinQ mapping and VLAN mapping

Mapping Type	Similarity	Difference
1 to 1	An interface maps the tag of a received single-tagged frame to the specified tag.	QinQ mapping Performed on a sub-interface Used for VPLS access VLAN mapping Performed on an interface Used on Layer 2 networks where VLAN frames are forwarded

Symmetry/Asymmetry Mode

QinQ termination sub-interfaces can access the L2VPN in symmetry mode or asymmetry mode.

In symmetric mode, when sub-interfaces for QinQ VLAN tag termination are used to access an L2VPN, packets received by the edge devices on the two ends of the public network must carry the same VLAN tags.

In symmetry mode, the VLAN planning at each site must be consistent, and only users in the same VLAN at different sites can communicate with each other. In this mode, user VLANs can be isolated according to inner tags. MAC address learning is based only on outer tags, and inner tags are transparently transmitted to the remote end.
In asymmetric mode, when sub-interfaces for QinQ VLAN tag termination are used to access an L2VPN, packets received by the edge devices on the two ends of the public network may carry different VLAN tags.

In asymmetrical mode, the VLANs planning at each site can be different, and users in VLANs at any sites can communicate with each other. In this mode, user VLANs cannot be isolated, and MAC address learning is based on both inner and outer tags.

Table 1-370 and Table 1-371 describe how a PE processes user packets that arrive at an L2VPN in different ways.

Table 1-370 Packet processing on an inbound interface

Type of the Inbound Interface	VPWS/VPLS Ethernet Encapsulation	VPWS/VPLS VLAN Encapsulation
Symmetry mode	Removes the outer tag.	No action is required.
Asymmetry mode	Removes both the inner and outer tags.	Removes both inner and outer tags and adds another tag.

Type of the Inbound Interface

VPWS/VPLS

Ethernet Encapsulation

VPWS/VPLS

VLAN Encapsulation

Symmetry mode

Removes the outer tag.

No action is required.

Asymmetry mode

Removes both the inner and outer tags.

Removes both inner and outer tags and adds another tag.

Table 1-371 Packet processing on an outbound interface

Type of the Outbound Interface	VPWS/VPLS Ethernet Encapsulation	VPWS/VPLS VLAN Encapsulation
Symmetry mode	Adds an outer tag.	Replaces the outer tag.
Asymmetry mode	Adds two tags.	Removes one tag and adds another double tags.

Type of the Outbound Interface

VPWS/VPLS

Ethernet Encapsulation

VPWS/VPLS

VLAN Encapsulation

Symmetry mode

Adds an outer tag.

Replaces the outer tag.

Asymmetry mode

Adds two tags.

Removes one tag and adds another double tags.

IP Forwarding on a Termination Sub-interface

On the network shown in Figure 1-701 and Figure 1-702, when the NPE at the edge of the MPLS/IP core network acts as a gateway for users, termination sub-interfaces must support IP forwarding.

IP forwarding can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by the NPE carry one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has IP forwarding configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has IP forwarding configured is a sub-interface for QinQ VLAN tag termination.

IP Forwarding on a Sub-interface for Dot1q VLAN Tag Termination

Figure 1-701 IP forwarding on a sub-interface for Dot1q VLAN tag termination

The sub-interface for Dot1q VLAN tag termination first identifies the outer VLAN tag and then generates an ARP entry containing the IP address, MAC address, and outer VLAN tag.

For the upstream traffic, the termination sub-interface strips the Ethernet frame header (including MAC address) and the outer VLAN tag, and searches the routing table to perform Layer 3 forwarding based on the destination IP address.
For the downstream traffic, the termination sub-interface encapsulates IP packets with the Ethernet frame header (including MAC address) and outer VLAN tag according to ARP entries and then sends IP packets to the target user.

IP Forwarding on a Sub-interface for QinQ VLAN Tag Termination

Figure 1-702 IP forwarding on a sub-interface for QinQ VLAN tag termination

The sub-interface for QinQ VLAN tag termination first identifies double VLAN tags and then generates an ARP entry containing the IP address, MAC address, and double VLAN tags.

For the upstream traffic, the termination sub-interface strips the Ethernet frame header (including MAC address) and double VLAN tags, and searches the routing table to perform Layer 3 forwarding based on the destination IP address.
For the downstream traffic, the termination sub-interface encapsulates IP packets with the Ethernet frame header (including MAC address) and double VLAN tags according to ARP entries and then sends IP packets to the target user.

Proxy ARP on a Termination Sub-interface

On the network shown in Figure 1-703 and Figure 1-704, a termination sub-interface allows a VLAN range to access the same network segment. Users on the same network segment belong to different VLANs in the VLAN range. In this scenario, users cannot communicate with each other at Layer 2. IP forwarding must be performed on the termination sub-interface. To support IP forwarding, the termination sub-interface must support proxy ARP.

Proxy ARP can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has proxy ARP configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has proxy ARP configured is a sub-interface for QinQ VLAN tag termination.

Proxy ARP on a Sub-interface for Dot1q VLAN Tag Termination

On the network shown in Figure 1-703, PC1 and PC2 belong to VLAN 100; PC3 belongs to VLAN 200; Switch 1 is a Layer 2 switch, which allows any VLAN packets to pass; PC1, PC2, and PC3 are on the same network segment.

When PC1 and PC3 want to communicate with each other, PC1 sends an ARP request to PC3 to obtain PC3's MAC address. However, as PC1 and PC3 are in different VLANs, PC3 fails to receive the ARP request from PC1.

To solve this problem, configure proxy ARP on the sub-interface for Dot1q VLAN tag termination. The detailed communication process is as follows:

PC1 sends an ARP Request message to request PC3's MAC address.
After receiving the ARP Request message, the PE checks the destination IP address of the message and finds that the destination IP address is not the IP address of its sub-interface for Dot1q VLAN tag termination. Then, the PE searches its ARP table for the PC3's ARP entry.
- If the PE finds this ARP entry, the PE checks whether inter-VLAN proxy ARP is enabled.
  - If inter-VLAN proxy ARP is enabled, the PE sends the MAC address of its sub-interface for Dot1q VLAN tag termination to PC1.
  - If inter-VLAN proxy ARP is not enabled, the PE discards the ARP Request message.
- If the PE does not find this ARP entry, the PE discards the ARP Request message sent by PC1 and checks whether inter-VLAN proxy ARP is enabled.
  - If inter-VLAN proxy ARP is enabled, the PE sends an ARP Request message to PC3. After the PE receives an ARP Reply message from PC3, an ARP entry of PC3 is generated in the PE's ARP table.
  - If inter-VLAN proxy ARP is not enabled, the PE does not perform any operations.
After learning the MAC address of the sub-interface for Dot1q VLAN tag termination, PC1 sends IP packets to the PE based on this MAC address.

After receiving the IP packets, the PE forwards them to PC3.

Figure 1-703 Proxy ARP on a sub-interface for Dot1q VLAN tag termination

Proxy ARP on a Sub-interface for QinQ VLAN Tag Termination

A termination sub-interface allows a VLAN range to access the same network segment. Users on the same network segment belong to different VLANs in the VLAN range. In this scenario, users cannot communicate with each other at Layer 2. IP forwarding must be performed on the termination sub-interface. To support IP forwarding, the termination sub-interface must support proxy ARP.

On the network shown in Figure 1-704, PC1 and PC2 belong to VLAN 100; PC3 belongs to VLAN 200; Switch 1 has selective QinQ enabled and adds outer VLAN tag 1000 to the packets sent by Switch 2 and Switch 3 to the PE; PC1, PC2, and PC3 are on the same network segment.

When PC1 and PC3 want to communicate with each other, PC1 sends an ARP request to PC3. However, as PC1 and PC3 are in different VLANs, PC3 fails to receive the ARP request from PC1.

To solve this problem, enable proxy ARP on the sub-interface for QinQ VLAN tag termination. The detailed communication process is as follows:

PC1 sends an ARP Request message to request PC3's MAC address.
After receiving the ARP Request message, the PE checks the destination IP address of the message and finds that the destination IP address is not the IP address of its sub-interface for QinQ VLAN tag termination. Then, the PE searches its ARP table for the PC3's ARP entry.
- If the PE finds this ARP entry, the PE checks whether inter-VLAN proxy ARP is enabled.
  - If inter-VLAN proxy ARP is enabled, the PE sends the MAC address of its sub-interface for QinQ VLAN tag termination to PC1.
  - If inter-VLAN proxy ARP is not enabled, the PE discards the ARP Request message.
- If the PE does not find this ARP entry, the PE discards the ARP Request message sent by PC1 and checks whether inter-VLAN proxy ARP is enabled.
  - If inter-VLAN proxy ARP is enabled, the PE sends an ARP Request message to PC3. After the PE receives an ARP Reply message from PC3, an ARP entry of PC3 is generated in the PE's ARP table.
  - If inter-VLAN proxy ARP is not enabled, the PE does not perform any operations.
After learning the MAC address of the sub-interface for QinQ VLAN tag termination, PC1 sends IP packets to the PE based on this MAC address.

After receiving the IP packets, the PE forwards them to PC3.

Figure 1-704 Proxy ARP on a sub-interface for QinQ VLAN tag termination

DHCP Server on a Termination Sub-interface

On the network shown in Figure 1-705 and Figure 1-706, the Dynamic Host Configuration Protocol (DHCP) server function is configured on termination sub-interfaces, so that the sub-interfaces can assign IP addresses to users.

The DHCP server function can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has the DHCP server function configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has the DHCP server function configured is a sub-interface for QinQ VLAN tag termination.

DHCP Server on a Sub-interface for Dot1q VLAN Tag Termination

Figure 1-705 DHCP server on a sub-interface for Dot1q VLAN tag termination

On the network shown in Figure 1-705, the user packet received by the DHCP server carries a single tag. To enable the sub-interface for Dot1q VLAN tag termination on the DHCP server to assign an IP address to a DHCP client, configure the DHCP server function on the sub-interface for Dot1q VLAN tag termination.

DHCP Server on a Sub-interface for QinQ VLAN Tag Termination

Figure 1-706 DHCP server on a sub-interface for QinQ VLAN tag termination

On the network shown in Figure 1-706, the switch has selective QinQ configured, and the user packet received by the DHCP server carries double tags. To enable the sub-interface for QinQ VLAN tag termination on the DHCP server to assign an IP address to a DHCP client, configure the DHCP server function on the sub-interface for QinQ VLAN tag termination.

DHCP Relay on a Termination Sub-interface

On the network shown in Figure 1-708 and Figure 1-708, the Dynamic Host Configuration Protocol (DHCP) relay function is configured on termination sub-interfaces. This function allows the sub-interfaces to add user tag information into Option 82, so that a DHCP server can assign IP addresses based on the tag information.

The DHCP relay function can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has the DHCP relay function configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has the DHCP relay function configured is a sub-interface for QinQ VLAN tag termination.

DHCP Relay on a Sub-interface for Dot1q VLAN Tag Termination

On the network shown in Figure 1-707, the packet received by the DHCP relay carries a single tag. If a sub-interface for Dot1q VLAN tag termination does not support the DHCP relay, the DHCP relay regards the received packet as an invalid packet and discards it. As a result, the DHCP client cannot obtain an IP address from the DHCP server.

On the sub-interface for Dot1q VLAN tag termination, the DHCP relay function is implemented as follows:

When receiving a DHCP request message, the DHCP relay adds user tag information into the Option 82 field in the message.
When receiving a DHCP reply message (ACK message) from the DHCP server, the DHCP relay analyzes the DHCP reply and generates a binding table.
The DHCP relay checks user packets based on the user tag information.

Figure 1-707 DHCP relay on a sub-interface for Dot1q VLAN tag termination

DHCP Relay on a Sub-interface for QinQ VLAN Tag Termination

On the network shown in Figure 1-707, the packet received by the DHCP relay carries double tags. If a sub-interface for QinQ VLAN tag termination does not support the DHCP relay, the DHCP relay regards the received packet as an invalid packet and discards it. As a result, the DHCP client cannot obtain an IP address from the DHCP server.

On the sub-interface for QinQ VLAN tag termination, the DHCP relay function is implemented as follows:

When receiving a DHCP request message, the DHCP relay adds user tag information into the Option 82 field in the message.
When receiving a DHCP reply message (ACK message) from the DHCP server, the DHCP relay analyzes the DHCP reply and generates a binding table.
The DHCP relay checks user packets based on the user tag information.

Figure 1-708 DHCP relay on a sub-interface for QinQ VLAN tag termination

VRRP on a Termination Sub-interface

On the network shown in Figure 1-709 and Figure 1-710, Virtual Router Redundancy Protocol (VRRP) is supported on termination sub-interfaces to ensure communication between Dot1q or QinQ users and networks.

VRRP can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has VRRP configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has VRRP configured is a sub-interface for QinQ VLAN tag termination.

VRRP on a Sub-interface for Dot1q VLAN Tag Termination

Figure 1-709 VRRP on a sub-interface for Dot1q VLAN tag termination

On the network shown in Figure 1-709, sub-interfaces for Dot1q VLAN tag termination specify an outer tag, such as tag 100, to configure a VRRP group.

Maintaining the master/backup status of the VRRP group
Responding to ARP request messages of users

The PE responds to ARP requests of users regardless of whether their packets contain the tag specified during the VRRP configuration.
Updating the MAC address entries of the Layer 2 switch

Gratuitous ARP messages are sent periodically to update the MAC entries of the switch and are copied for all the VLAN tags specified on the sub-interfaces for Dot1q VLAN tag termination. In this way, the VLANs on the switch can learn virtual MAC addresses. To improve system performance, the frequency of sending gratuitous ARP messages is increased only when a master/backup switchover is performed. During stable operation of VRRP, the frequency of sending gratuitous ARP messages is lowered, and the interval at which gratuitous ARP packets are sent must be less than the aging time of MAC entries on the switch.

The preceding working mechanism has the following advantages:

Only one VRRP instance needs to be created for users on the same network segment, even if they carry different VLAN tags.
VRRP resources are saved.
Hardware resources are saved.
IP addresses are saved.
The number of users that can access the network is increased.

VRRP on a Sub-interface for QinQ VLAN Tag Termination

Figure 1-710 VRRP on a sub-interface for QinQ VLAN tag termination

On the network shown in Figure 1-710, sub-interfaces for QinQ VLAN tag termination specify double tags, such as an inner tag 100, outer tag 1000 to configure a VRRP group.

Maintaining the master/backup status of the VRRP group
Responding to ARP request messages of users

The PE responds to ARP requests of users regardless of whether their packets contain the tags specified during the VRRP configuration.
Updating the MAC address entries of the Layer 2 switch

Gratuitous ARP messages are sent periodically to update the MAC entries of the switch and are copied for all the VLAN tags specified on the sub-interfaces for QinQ VLAN tag termination. In this way, the VLANs on the switch can learn virtual MAC addresses. To improve system performance, the frequency of sending gratuitous ARP messages is increased only when a master/backup switchover is performed. During stable operation of VRRP, the frequency of sending gratuitous ARP messages is lowered, and the interval at which gratuitous ARP packets are sent must be less than the aging time of MAC entries on the switch.

The preceding working mechanism has the following advantages:

Only one VRRP instance needs to be created for users on the same network segment, even if they carry different VLAN tags.
VRRP resources are saved.
Hardware resources are saved.
IP addresses are saved.
The number of users that can access the network is increased.

L3VPN Access Through a Termination Sub-interface

On the network shown in Figure 1-711 and Figure 1-712, Layer 3 virtual private network (L3VPN) functions are configured on termination sub-interfaces.

L3VPN functions can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has L3VPN functions configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has L3VPN functions configured is a sub-interface for QinQ VLAN tag termination.

L3VPN Access Through a Sub-interface for Dot1q VLAN Tag Termination

Figure 1-711 shows a typical networking for L3VPN access through a sub-interface for Dot1q VLAN tag termination.

A user packet is attached with a customer-based VLAN tag on the Digital Subscriber Line Access Multiplexer (DSLAM) and then is transmitted transparently from the CE to the PE. On the PE, a sub-interface for Dot1q VLAN tag termination is configured, an outer VLAN tag is specified, and the sub-interface for Dot1q VLAN tag termination is bound to a VPN instance according to the outer VLAN tag.

After receiving the user packet, the PE strips off the outer VLAN tag and sends it to the L3VPN. At the same time, the PE needs to add a correct outer VLAN tag to the packet returned to the CE.

When the PE is terminating the outer tag of a user packet, ARP learning based on the outer VLAN tag of the user packet is required.

Figure 1-711 L3VPN access through a sub-interface for Dot1q VLAN tag termination

L3VPN Access Through a Sub-interface for QinQ VLAN Tag Termination

Figure 1-712 shows a typical networking for L3VPN access through a sub-interface for QinQ VLAN tag termination.

A user packet is attached with a customer-based VLAN tag on the DSLAM and then attached with a service-based VLAN tag on the CE. On the PE, the sub-interface for QinQ VLAN tag termination is configured, inner and outer VLAN tags are specified, and the sub-interface for QinQ VLAN tag termination is bound to a VPN instance according to double VLAN tags.

After receiving a QinQ packet from the user, the PE strips off double VLAN tags and then accesses the L3VPN. At the same time, the PE needs to add a correct outer VLAN tag and inner VLAN tag to the packet returned to the CE.

When the PE is terminating double tags of a user packet, ARP learning based on double VLAN tags of the user packet is required.

Figure 1-712 L3VPN access through a sub-interface for QinQ VLAN tag termination

VPWS Access Through a Termination Sub-interface

Virtual private wire service (VPWS) access through a termination sub-interface for QinQ VLAN tag termination means that VPWS functions are configured on the sub-interface for QinQ VLAN tag termination. By configuring the range of double VLAN tags on the sub-interface for QinQ VLAN tag termination on a PE, users within the VLAN tag range are allowed to access VPWS. A local device can transparently transmit user packets with double VLAN tags to a remote device for authentication. The remote device is usually a Broadband Remote Access Server (BRAS).

Figure 1-713 shows a typical networking for VPWS access through a sub-interface for QinQ VLAN tag termination.

Figure 1-713 VPWS access through a sub-interface for QinQ VLAN tag termination

VPLS Access Through a Termination Sub-interface

Virtual private LAN service (VPLS) access through a termination sub-interface means that VPLS functions are configured on the termination sub-interface. By configuring the range of double VLAN tags on the sub-interface for QinQ VLAN tag termination of the PE, a local Virtual Switching Instance (VSI) can communicate with a remote VSI. VPLS access is often used for communication between QinQ users of Layer 2 enterprise networks.

On a VPLS network, one Virtual Circuit (VC) link connects only a user's two VLANs that are distributed in different places. If the user wants to connect multiple VLANs distributed in different places, multiple VCs are required.

As a termination sub-interface supports a VLAN range, configuring VPLS access through a termination sub-interface allows one VC to connect users in the VLAN range. Traffic of all the VLANs in the specified range is transmitted over this VC, greatly saving VC resources of the public network and configuration workload. In addition, users can plan their own VLANs, irrespective of what the Internet Service Provider's (ISP's) VLANs are.

VPLS functions can be configured on a sub-interface for Dot1q VLAN tag termination or sub-interface for QinQ VLAN tag termination, based on whether the user packets received by a PE contain one or two VLAN tags.

If the user packets contain one tag, the sub-interface that has VPLS functions configured is a sub-interface for Dot1q VLAN tag termination.
If the user packets contain double tags, the sub-interface that has VPLS functions configured is a sub-interface for QinQ VLAN tag termination.

VPLS Access Through a Sub-interface for Dot1q VLAN Tag Termination

Figure 1-714 shows a typical networking for VPLS access through a sub-interface for Dot1q VLAN tag termination.

Figure 1-714 VPLS access through a sub-interface for Dot1q VLAN tag termination

VPLS supports the Point-to-Multipoint Protocol (P2MP) and forwards data by learning MAC addresses. In this case, VPLS access through a sub-interface for Dot1q VLAN tag termination can be performed by MAC address learning on the basis of a single VLAN tag. Note that there are no restrictions on VLAN tags for VPLS access.

VPLS Access Through a Sub-interface for QinQ VLAN Tag Termination

Figure 1-715 shows a typical networking for VPLS access through a sub-interface for QinQ VLAN tag termination.

Figure 1-715 VPLS access through a sub-interface for QinQ VLAN tag termination

VPLS supports the P2MP and forwards data by learning MAC addresses. In this case, VPLS access through a sub-interface for QinQ VLAN tag termination can be performed by MAC address learning on the basis of double VLAN tags. Note that there are no restrictions on VLAN tags for VPLS access.

Multicast Service on a Termination Sub-interface

With wide applications of multicast services on the Internet, when double-tagged multicast packets are sent from the user side to a sub-interface for QinQ VLAN tag termination sub-interface, the sub-interface needs to support the Internet Group Management Protocol (IGMP). In this manner, the UPE can maintain outbound interface information of the multicast packets based on the created multicast forwarding table, and the hosts can communicate with the multicast source.

Figure 1-716 Multicast service on a termination sub-interface

On the network shown in Figure 1-716, when the DSLAM forwards double-tagged multicast packets to the UPE, the UPE processes the packets as follows based on double-tag contents:

When the double-tagged packets carrying an outer S-VLAN tag and an inner C-VLAN tag are transmitted to the UPE to access the Virtual Switching Instances (VSIs), the UPE terminates the double tags and binds the packets to the multicast VSIs through Pseudo Wires (PWs). Then, the PE-AGG terminates PWs and adds multicast VLAN tags to the packets. Finally, the packets are transmitted to the multicast source. For example, IPTV packets with S-VLAN 3 and C-VLANs ranging from 1 to 1000 are terminated on the UPE and then access a PW. The PE-AGG terminates the PW and adds multicast VLAN 8 to the packets. IGMP snooping sets up forwarding entries based on the interface number, S-VLAN tag, and C-VLAN tag and supports multicast packets with different C-VLAN tags. Each PW then forwards the multicast packets based on their S-VLAN IDs and C-VLAN IDs.
When the double-tagged packets carrying an outer C-VLAN tag and an inner S-VLAN tag are transmitted to the UPE, the UPE enabled with VLAN swapping swaps the outer C-VLAN tag and inner S-VLAN tag. If multicast packets access Layer 2 VLANs, the packets are processed in mode 1; if multicast packets access VSIs, the packets are processed in mode 2.

Generally, VLANs are divided into the following types:

C-VLAN: customer VLAN
S-VLAN: service VLAN

The UPE processes packets in the following modes:

Single-tagged packets: The sub-interface for Dot1q VLAN tag termination needs to have IGMP and IGMP snooping configured.
Double-tagged packets: The sub-interface for QinQ VLAN tag termination needs to have IGMP and IGMP snooping configured.

VPWS Access Through a QinQ Stacking Sub-interface

The virtual private wire service (VPWS) is a point-to-point L2VPN technology. A VLANIF interface does not support VPWS, and therefore you have to access a virtual private network (VPN) through a main interface. Such a configuration is not flexible because multiple users cannot access through the same physical interface. To ensure the access of multiple users through the same physical interface, you can use the QinQ stacking function on different sub-interfaces. This requires that CE-VLANs on PE1 and PE2 be the same.

On the network shown in Figure 1-717, a QinQ stacking sub-interface on PE1 adds an outer VLAN tag of the ISP network to its received user packets that carry a VLAN tag ranging from 1 to 200 on sub-interfaces. Then, PE1 sends these packets to the VPWS network.

Figure 1-717 VPWS access through a QinQ stacking sub-interface

VPLS Access Through a QinQ Stacking Sub-interface

To access an Internet Service Provider (ISP) network through a virtual private LAN service (VPLS) network, you can bind a Virtual Switching Instance (VSI) to a VLANIF interface to transparently transmit user VLANs over the ISP network.

Alternatively, you can access a VPLS network through routing-based sub-interfaces on which QinQ stacking is configured. In Figure 1-718, QinQ stacking sub-interfaces add an outer VLAN tag of the ISP network to its received user packets that carry a VLAN tag ranging from 1 to 200. Then the sub-interfaces are bound to a VSI. In this manner, users can access the VPLS network.

Figure 1-718 VPLS access through a QinQ stacking sub-interfaces

802.1p on a QinQ Interface

During QinQ encapsulation, a QinQ interface adds an outer VLAN tag to the packet it received and is unaware of the 802.1p value in the inner VLAN tag. As a result, the service priority identified by the 802.1p value is ignored. Figure 1-719 shows the 802.1p field in a QinQ packet.

Figure 1-719 802.1p in a QinQ packet
Click to enlarge

To solve this problem, the 802.1p value in the inner VLAN tag must be processed on a QinQ sub-interface. The following three ways are available on a QinQ interface:

Ignores the 802.1p value in the inner VLAN tag, but resets the 802.1p value in the outer VLAN tag.
Automatically maps the 802.1p value in the inner VLAN tag to an 802.1p value in the outer VLAN tag.
Sets the 802.1p value in the outer VLAN tag according to the 802.1p value in the inner VLAN tag.

In Figure 1-720, QinQ supports 802.1p in following modes:

Pipe mode: A specified 802.1p value is set.
Uniform mode: The 802.1p value in the inner VLAN tag is used.
Maps the 802.1p value in the inner VLAN tag to an 802.1p value in the outer VLAN tag. Multiple 802.1p values in the inner VLAN tag can be mapped to an 802.1p value in the outer VLAN tag, but one 802.1p value in the inner VLAN tag cannot be mapped to multiple 802.1p values in the outer VLAN tag.

Figure 1-720 802.1p supported by QinQ

Application Scenarios for QinQ

User Services on a Metro Ethernet

On the network shown in Figure 1-721, DSLAMs support multiple permanent virtual channel (PVC) access. A user uses multiple services, such as HSI, IPTV and VoIP.

Figure 1-721 QinQ on a Metro Ethernet

PVCs are used to carry services that are assigned with different VLAN ID ranges. The following table lists the VLAN ID ranges for each service.

Table 1-372 Mapping between services and VLAN IDs

Service Name	Full Name	VLAN ID Range
HSI	high-speed Internet	101 to 300
VoIP	Voice over Internet Protocol	301 to 500
IPTV	Internet Protocol Television	501 to 700

If a user needs to use the VoIP service, user VoIP packets are sent to a DSLAM over a specified PVC and assigned with VLAN ID 301. When the packets reach the UPE, an outer VLAN ID (for example, 2000) is added to the packets. The inner VLAN ID (301) represents the user, and the outer VLAN ID (2000) represents the VoIP service (the DSLAM location can also be marked if you add different VLAN tags to packets received by different DSLAMs). The UPE then sends the VoIP packets to the NPE where the double VLAN tags are terminated. Then, the NPE sends the packets to an IP core network or a VPN.

HSI and IPTV services are processed in the same way. The difference is that QinQ termination of HSI services is implemented on the BRAS.

The NPE can generate a Dynamic Host Configuration Protocol (DHCP) binding table to avoid network attacks. In addition, the NPE can implement DHCP authentication based on the two-layer tags and has Virtual Router Redundancy Protocol (VRRP) enabled to ensure service reliable access.

Enterprise Leased Line Interconnections

On the network shown in Figure 1-722, an enterprise has two sites in different places. Each site has three networks: finance, marketing, and others. To ensure network security, users of different networks cannot communicate with each other.

Figure 1-722 Enterprise leased line communication

A carrier deploys the VPLS technology on the IP/MPLS core network and QinQ on the ME network. Three VLANs are assigned for each site to identify the finance, marketing and other departments, and the VLAN ID for finance is 100, for marketing is 200, and for others is 300. An outer VLAN 1000 is encapsulated on a UPE (Packets can be added with different VLAN tags on different UPEs). The sub-interface bound to a VSI on the NPE connected to the UPE is in symmetry mode. In this way, users belonging to the same VLAN in different sites can communicate with each other.

Terminology for QinQ

Terms

Term	Definition
QinQ interface	An interface that can process VLAN frames with a single tag (Dot1q termination) or with double tags (QinQ termination).
VLAN tag termination sub-interface	An interface that identifies the single or double tags in a packet and removes the single or double tags before sending the packets.

Acronyms and Abbreviations

Acronym and Abbreviation	Full Name
QinQ	802.1Q in 802.1Q
VPLS	virtual private LAN service
VLAN	virtual local area network
VSI	virtual switch instance
VPWS	virtual private wire service
QinQ Termination	802.1Q in 802.1Q termination
ARP	Address Resolution Protocol
VRRP	Virtual Router Redundancy Protocol
DHCP	Dynamic Host Configuration Protocol
IPTV	Internet Protocol Television
PVC	Permanent Virtual Connection
VoIP	Voice over Internet Protocol
HSI	high-speed Internet

QinQ Configuration

802.1Q-in-802.1Q (QinQ) is a technology that addresses the shortage of public VLAN ID resources. This technology applies to a number of services in metropolitan area network (MAN) implementation.

Overview of QinQ

The 802.1Q-in-802.1Q (QinQ) technology improves the utilization of VLANs by adding another 802.1Q tag to tagged packets. This technology enables services from private VLANs to be transparently transmitted over the public network. Packets transmitted on the backbone network carry two 802.1Q tags: a public VLAN tag and a private VLAN tag.

QinQ Background

Figure 1-723 Intercommunication between Layer 2 LANs using the traditional IEEE 802.1Q protocol

Since the QinQ technology is easy to use, it has been widely applied on ISP networks. For example, it is used by multiple services on the metro Ethernet.After the emergence of selective QinQ (VLAN stacking), QinQ services became popular with carriers. With selective QinQ, private VLANs and the public VLAN can be separated, and VLAN ID resources can be saved for carrier networks. As the metro Ethernet develops, different vendors propose their own metro Ethernet solutions. QinQ with its simplicity and flexibility, plays important roles in metro Ethernet solutions.

QinQ Definition

Figure 1-724 shows a typical QinQ application. The private VLANs on User Network 1 range from VLAN 100 to VLAN 200, and the private VLANs on User Network 2 range from VLAN 400 to VLAN 500. If a carrier allows VLAN users to communicate over the carrier network, the carrier must assign a different VLAN ID for each VLAN. This requires a large number of VLAN IDs, and user packets are made visible on the carrier network. QinQ allows a network to have a maximum of 4094 x 4094 VLAN IDs. With QinQ, the carrier only needs to provide one VLAN ID for a user network, which saves VLAN ID resources and ensures secure transmission of user packets.

Figure 1-724 Typical QinQ application

Figure 1-724 shows a typical QinQ application. VLAN stacking is a typical application of QinQ on Layer 2 networks.

The advantages of QinQ are described as follows:

Alleviates the intensifying shortage of public VLAN IDs.
Allows users to plan their private VLAN IDs and prevents conflicts with public VLAN IDs.
Provides a simple, flexible Layer 2 VPN solution for small-scale Metropolitan Area Networks (MANs) or the Local Area Networks (LANs).
Allows user networks to retain their configurations after a carrier updates the carrier network.

Basic QinQ Concept

Ethernet Frame, VLAN Frame, and QinQ Packet

Ethernet frame

As shown in Figure 1-725, the Length/Type field is preceded by the Destination address and Source address fields in a traditional Ethernet frame.

Figure 1-725 Traditional Ethernet frame
VLAN frame

IEEE 802.1Q adds an 802.1Q tag to the Ethernet frame. As shown in Figure 1-726, the 4-byte 802.1Q Tag resides between the Source address and Length/Type fields.

Figure 1-726 802.1Q frame
- Type: The 2-byte Type field indicates the frame type. The value 0x8100 indicates an 802.1Q frame. When a device that does not support 802.1Q frames receives an 802.1Q frame, it discards the frame.
- PRI: The 3-bit Priority field indicates the frame priority. The value of the field ranges from 0 to 7. The greater the value, the higher the frame priority. When a switch is congested, higher priority frames are sent preferentially.
- CFI: The 1-bit Canonical Format Indicator (CFI) field indicates whether the MAC address is in canonical format: 0 indicates that the MAC address is in canonical format, 1 indicates that it is not. This field is used to differentiate Ethernet frames, Fiber Distributed Digital Interface (FDDI) frames, and token ring frames. The CFI field value in Ethernet frames is 0.
- VID: The 12-bit VLAN ID (VID) field indicates the VLAN to which the frame belongs. In the NetEngine 8000 F, the VLAN ID ranges from 0 to 4095. Since 0 and 4095 are reserved by the QinQ protocol, the valid value of the VLAN ID ranges from 1 to 4094.
  Each 802.1Q-capable switch sends datagrams carrying a VLAN ID. The VLAN ID identifies the VLAN to which the switch belongs. Ethernet frames can be classified into the following types on a VLAN:
  - Tagged frame: Ethernet frame with a 4-byte 802.1Q tag.
  - Untagged frame: original Ethernet frame without a 4-byte 802.1Q tag.
QinQ packet

A QinQ packet has a fixed format. In the packet, another 802.1Q tag is added before an 802.1Q tag. A QinQ packet is 4–byte longer than a common 802.1Q packet.

Figure 1-727 QinQ packet format
QinQ packets carry two VLAN tags when they are transmitted across a carrier network. The meanings of the two tags are described as follows:
- Inner VLAN tag: private VLAN tag that identifies the VLAN to which a user belongs.
- Outer VLAN tag: public VLAN tag that is assigned by a carrier to a user.

QinQ Encapsulation

QinQ encapsulation is to add another 802.1Q tag to a single-tagged packet. QinQ encapsulation is usually performed on UPE interfaces connecting to users.

QinQ encapsulation can be classified into the following types:

Standard QinQ encapsulation

In a standard QinQ encapsulation, or interface-based QinQ, the device adds an outer tag to all packets entering an interface.

After a QinQ-enabled interface receives a packet, the device adds the default VLAN tag to the packet, regardless of whether the packet carries a VLAN tag. The packet is then forwarded in the VLAN to which the interface belongs. Interface-based QinQ is also called QinQ tunneling.

Interface-based QinQ means that all traffic entering an interface is encapsulated with the same outer VLAN tag. Users are distinguished by the physical interface. However, if multiple users with different VLANs are connected to the same interface, the device cannot distinguish these users. Therefore, interface-based QinQ has its limitations.

For carrier networks that need to distinguish users based on user applications and locations, the selective QinQ provides an ideal solution.
Selective QinQ encapsulation

The selective QinQ encapsulation is also called traffic-based QinQ because the device encapsulates packets with outer tags based on the traffic.

After a selective QinQ-enabled interface receives packets, the device classifies the traffic and decides whether to add outer tags to the packets.

A carrier device can classify traffic based private VLAN tags, VLAN tag+802.1p priority, source IP/MAC address, destination IP/MAC address, IP protocols, or application port numbers. The device then adds outer VLAN tags to the traffic for service differentiation.

Sub-interface for VLAN Tag Termination

In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

After an interface receives a packet with one or two VLAN tags, the device removes the VLAN tags and forwards the packet at Layer 3. The outbound interface decides whether to add one or two VLAN tags to the packet.
Before an interface forwards a packet, the device adds the planned VLAN tag to the packet.

The following section describes the termination types, the VLAN tag termination sub-interfaces, and the applications of VLAN tag termination.

Termination type
VLAN packets are classified into dot1q packets, which carry only one VLAN tag, and QinQ packets, which carry two VLAN tags. Accordingly, there are two VLAN tag termination modes:
- Dot1q termination: terminates packets that carry one VLAN tag.
- QinQ termination: terminates packets that carry two VLAN tags.
VLAN tag termination sub-interfaces
Dot1q/QinQ termination is conducted on sub-interfaces.
- Sub-interface for dot1q VLAN tag termination
  
  A sub-interface that terminates packets carrying one VLAN tag.
- Sub-interface for QinQ VLAN tag termination
  
  A sub-interface that terminates packets carrying two VLAN tags.
  Sub-interfaces for QinQ VLAN tag termination are classified into the following types:
  - Explicit sub-interface for QinQ VLAN tag termination: The pair of VLAN tags specifies two VLANs.
  - Implicit sub-interface for QinQ VLAN tag termination: The pair of VLAN tags specifies two ranges of VLANs.
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of packets that do not contain a VLAN tag, and discard received packets that do not contain a VLAN tag.
Applications of VLAN tag termination
- Inter-VLAN communication
  The VLAN technology is widely used because it allows Layer 2 packets of different users to be transmitted separately. With the VLAN technology, a physical LAN is divided into multiple logical broadcast domains (VLANs). Hosts in the same VLAN can communicate with each other at Layer 2, but hosts in different VLANs cannot. The Layer 3 routing technology is required for communication between hosts in different VLANs. The following interfaces can be used to implement inter-VLAN communication:
  - Layer 3 Ethernet interfaces on routers
    
    Conventional Layer 3 Ethernet interfaces do not identify VLAN packets. After receiving VLAN packets, they consider the packets invalid and discard them. To implement inter-VLAN communication, create Ethernet sub-interfaces on an Ethernet interface and configure the sub-interfaces to remove tags from VLAN packets.
- Communication between devices in the LAN and WAN
  
  Most LAN packets carry VLAN tags. Certain wide area network (WAN) protocols, such as Point-to-Point Protocol (PPP), cannot identify VLAN packets. Before forwarding VLAN packets from a LAN to a WAN, a device needs to record the VLAN information carried in the VLAN packets and then remove the VLAN tags.
  
  When a device receives packets, it adds the locally stored VLAN information to the packets and forwards them to VLAN users.

Configuration Precautions for QinQ

Feature Requirements

Table 1-373 Feature requirements

Feature Requirements	Series	Models
Vlink routes generated on Layer 3 sub-interfaces cannot be IP FRR routes.	NetEngine 8000 F1A	NetEngine 8000 F1A
IP FRR does not support fast switching on QinQ VLAN tag termination sub-interfaces or dot1q VLAN tag termination sub-interfaces. IP FRR does not take effect.	NetEngine 8000 F1A	NetEngine 8000 F1A
Statistics about packets (such as ping packets) delivered by the CPU cannot be collected on a QinQ sub-interface.	NetEngine 8000 F1A	NetEngine 8000 F1A

Summary of QinQ Configuration Tasks

This section describes the QinQ features supported by the NetEngine 8000 F in terms of the QinQ configuration.

The QinQ configuration is described as follows:

A QinQ-enabled device is capable of virtual local area network (VLAN) stacking, which expands VLAN space and reduces the consumption of VLAN ID resources. If selective QinQ is configured, the device can add different outer VLAN tags to packets and transmit the packets.
QinQ supports the following features that meet different configuration requirements:
- Configuring QinQ-based VLAN tag swapping: The device can swap the inner tag with the outer tag in a double-tagged packet.
- Configuring QinQ mapping: The device can map the user VLAN ID in a packet to a carrier VLAN ID.
- Configuring VLAN tag termination sub-interfaces to transmit IP services: Proxy Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP) (DHCP server/DHCP relay), and Virtual Router Redundancy Protocol (VRRP) can be configured on sub-interfaces for QinQ/dot1q VLAN tag termination.
- Configuring VLAN tag termination sub-interfaces to transmit virtual private network (VPN) services: The L2VPN (VPWS/VPLS) and L3VPN can be configured on sub-interfaces for QinQ/dot1q VLAN tag termination.
- Configuring QinQ VLAN tag termination sub-interfaces to support 802.1p mappings: The mappings include the 802.1p-to-DSCP mapping and 802.1p-to-MPLS-EXP mapping.
- Configuring L2VPN access on QinQ stacking sub-interfaces: With this configuration, QinQ stacking sub-interfaces can implement L2VPN (VPWS/VPLS).
QinQ stacking sub-interfaces can be used to solve the problem that one physical interface cannot provide L2VPN access for multiple users.

Access Services Provided by VLAN Tag Termination Sub-Interfaces

Sub-interfaces for QinQ/dot1q VLAN tag termination support IP services (for example, proxy ARP, DHCP, and VRRP), VPN services (for example, L2VPN and L3VPN), 802.1p-to-DSCP mapping, and 802.1p-to-MPLS-EXP mapping. Table 1-374 shows the application scenario of a VLAN tag termination sub-interface providing access services.

Table 1-374 Application scenario of VLAN tag termination sub-interfaces providing access services

Sub-Interface Type	Service Type	Application Scenario
QinQ/Dot1q	Proxy ARP	If users on the same network segment belong to different VLANs, they cannot communicate at Layer 2. To implement communication between VLANs at Layer 3, proxy ARP can be enabled on VLAN tag termination sub-interfaces. For details about proxy ARP, see the chapter "ARP" in the NetEngine 8000 F Feature Description - IP Services.
	DHCP DHCP relay	If the DHCP client and DHCP server belong to different sub-nets, you need to deploy a DHCP relay agent to forward DHCP request packets from the client to the server so that the client can dynamically obtain IP addresses from the DHCP server. DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation. For details about DHCP, see the chapter "DHCP" in the NetEngine 8000 F Feature Description - IP Services.
	VRRP	When a VLAN tag termination sub-interface is used to access a VRRP-enabled, this sub-interface also needs to be enabled with VRRP to ensure reliable and stable communication. For details about VRRP, see the chapter "VRRP" in the NetEngine 8000 F Feature Description - Reliability.
	L2VPN Virtual private wire service (VPWS) Virtual private LAN service (VPLS)	When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication. For details about L2VPN, see the chapters "VPWS" and "VPLS" in the NetEngine 8000 F Feature Description - VPN.
	L3VPN	When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication. For details about L3VPN, see the chapter "BGP/MPLS IP VPN" in the NetEngine 8000 F Feature Description - VPN.
QinQ	802.1p, DiffServ Code Point (DSCP) remark	After a packet is terminated on a PE, the packet is sent to the carrier network. To ensure the completeness of the QoS information in the packet, the 802.1p values in the outer and inner tags need to be mapped to the DSCP remark field.
QinQ	802.1p, EXP (MPLS) remark	After a packet is terminated on a PE, the packet is sent to the carrier MPLS network. To ensure the completeness of the QoS information in the packet, the 802.1p values in the outer and inner tags need to be mapped to the MPLS EXP field.

Figure 1-728 shows how to configure sub-interfaces for QinQ/dot1q VLAN tag termination.

Figure 1-728 Flowchart of configuring sub-interfaces for QinQ/dot1q VLAN tag termination

Differences Between the VLAN Tag Termination Sub-Interface and Dot1q Sub-Interface

Table 1-375 shows the differences between the VLAN tag termination sub-interface and dot1q sub-interface.

Table 1-375 Differences between interfaces

Interface Type	Supported VPN Service				Description	Difference
Interface Type	VPWS (CCC mode)	VPWS	VPLS	L3VPN	Description	Difference
Dot1q sub-interface	Supported	Supported	Supported	Supported	You can run the vlan-type dot1q command to configure an Ethernet sub-interface to be a dot1q sub-interface.	The dot1q sub-interface and dot1q VLAN tag termination sub-interface have the same function. The difference between them is that packets sent from the dot1q sub-interface are encapsulated with only one VLAN tag whereas packets sent from the dot1q VLAN tag termination sub-interface can be encapsulated with multiple VLAN tags. You can configure both dot1q VLAN tag termination sub-interfaces and QinQ VLAN tag termination sub-interfaces on a main interface. With this configuration, the main interface can terminate both single-tagged packets and double-tagged packets. You can configure a dot1q VLAN tag termination sub-interface or a dot1q sub-interface on a main interface to terminate single-tagged packets.
Dot1q VLAN tag termination sub-interface	Supported	Supported	Supported	Supported	You can run the dot1q termination vid command to configure a dot1q VLAN tag termination sub-interface to terminate single-tagged packets. NOTE: VPWS The VLAN tag to be terminated must be a specific value. VPLS The VLAN tag to be terminated can be either a specific value or a value range.
QinQ VLAN tag termination sub-interface	Supported	Supported	Supported	Supported	You can run the qinq termination pe-vid ce-vid command to configure a QinQ VLAN tag termination sub-interface to terminate double-tagged packets. NOTE: VPWS In asymmetrical mode, both VLAN tags to be terminated must be specific values. In asymmetrical mode, the outer VLAN tag to be terminated must be a specific value, but the inner VLAN tag to be terminated can be either a specific value or value range. VPLS In asymmetrical mode, both VLAN tags to be terminated can be either specific values or value ranges. In symmetrical mode, the outer VLAN tag to be terminated must be a specific value, but the inner VLAN tag to be terminated can be either a specific value or value range. You can run the qinq termination l2 command to configure the asymmetrical or symmetrical mode.

Table 1-376 and Table 1-377 show how different types of interfaces process VLAN tags carried in packets to be transmitted across a VPLS network.

Table 1-376 Packet processing on an inbound interface

Inbound Interface Type	Packet Processing for VPLS Network Access
Inbound Interface Type	Ethernet-Encapsulated Packets	VLAN-Encapsulated Packets
Dot1q sub-interface	Tags are stripped.	No action is performed.
Dot1q VLAN tag termination sub-interface	Tags are stripped.	No action is performed.
QinQ VLAN tag termination sub-interface	In symmetric mode, the outer tags are stripped. In asymmetric mode, both inner and outer tags are stripped.	In symmetric mode, no action is performed. In asymmetric mode, both inner and outer tags are stripped and then a different tag is added.
QinQ stacking sub-interface	The outer tag is added.	The outer tag is added.
QinQ mapping sub-interface	The outer tag is replaced.	The outer tag is replaced.

Table 1-377 Packet processing on an outbound interface

Outbound Interface Type	Packet Processing for VPLS Network Access
Outbound Interface Type	Ethernet-Encapsulated Packets	VLAN-Encapsulated Packets
Dot1q sub-interface	A specific tag is added.	The tag is replaced.
Dot1q VLAN tag termination sub-interface	A specific tag is added.	The tag is replaced.
QinQ VLAN tag termination sub-interface	In symmetric mode, outer tags are added. In asymmetric mode, both inner and outer tags are added.	In symmetric mode, outer tags are replaced. In asymmetric mode, one tag is stripped and both inner and outer tags are added.
QinQ stacking sub-interface	The outer tag is stripped.	The outer tag is stripped.
QinQ mapping sub-interface	The outer tag is replaced.	The outer tag is replaced.

To configure VLAN encapsulation or Ethernet encapsulation, run the encapsulation (VSI view) command.

VLAN encapsulation

Each Ethernet frame transmitted between CEs and PEs carries a VLAN tag called a Provider-Tag (P-tag). The tag is a service delimiter required by a carrier for user differentiation.
Ethernet encapsulation

Ethernet frames transmitted between CEs and PEs do not necessarily carry VLAN tags. If an Ethernet frame carries a VLAN tag, the tag is an internal VLAN tag called a User-Tag (U-tag) in user packets. The U-tag is carried in a packet before the packet is sent to a CE. The U-tag is used by the CE to identify the packet, but PEs do not recognize U-tags.

By default, the encapsulation type is VLAN.

Configuring the QinQ Function

A QinQ-enabled device is capable of virtual local area network (VLAN) stacking, which expands VLAN space and reduces the consumption of VLAN ID resources.

Usage Scenario

The major differences between QinQ tunneling and selective QinQ are as follows:

Table 1-378 QinQ tunneling application scenario

QinQ Function	Description	Application Scenario
QinQ tunneling	All data frames that arrive on a QinQ interface are encapsulated with the same outer tag. This encapsulation mode does not distinguish users or services and therefore does not support multi-user and multi-service scenarios.	QinQ tunneling applies where there is no need to distinguish users and services.
Selective QinQ	All data frames that arrive on a QinQ interface can be encapsulated with different VLAN tags that distinguish users or services. This encapsulation mode supports multi-user and multi-service scenarios.	Selective QinQ applies when users and services must be distinguished.

Pre-configuration Tasks

Before configuring the QinQ function, plan user VLANs so that packets from the CE to PE carry one VLAN tag.

Configuring a QinQ Tunnel

After the QinQ tunnel is configured, the interface adds an outer VLAN tag to packets that carry an inner VLAN tag. These packets can then be forwarded on the public network.

Context

Perform the following steps on the device on which the QinQ tunnel is to be configured:

Procedure

Run system-view
The system view is displayed.
Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.

The VLAN ID refers to the value of the outer tag specified in the QinQ tunnel. The VLAN ID ranges from 1 to 4094.
Run quit
Return to the system view.
Run interface interface-type interface-number
The user-side Ethernet interface view is displayed.
(Optional) Run portswitch
The interface is configured as a Layer 2 interface.

Skip this step if the interface is already a Layer 2 interface.
Run port link-type dot1q-tunnel
The interface is configured as a QinQ interface.
Run port default vlan vlan-id
An outer VLAN tag is configured for packets passing through the QinQ Layer 2 interface.

vlan-id must be the same as the VLAN ID created in Step 2.
(Optional) Run qinq protocol ethertype-value
The protocol type of the outer tag is configured.

The value of ethertype-value ranges from 0x0600 to 0xFFFF.

The qinq protocol command takes effect both on double-tagged and single-tagged packets.
Run commit
The configuration is committed.

(Optional) Changing the Ethernet Encapsulation Type of the Outer Tag

When Huawei and non-Huawei devices are connected and QinQ is configured, devices of various vendors set the inner TPID to 0x8100 and set the outer TPID to different values. To allow Huawei and non-Huawei devices to communicate, the Ethernet encapsulation type of the outer tag need be configured.

Context

Perform the following steps on a device on which QinQ tunneling is to be configured:

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number
The view of the Ethernet interface on which the QinQ tunnel function is to be configured is displayed.
Run qinq protocol ethertype-value
The EtherType value in the outer VLAN tag is configured.

(Optional) Configuring Ethernet Interfaces to Retain the Original Outer TPID EtherType Value in Received QinQ Packets

All QinQ-enabled devices use 0x8100 as the inner TPID EtherType value. However, different devices use different outer TPID EtherType values. Upon receiving QinQ packets whose outer TPID EtherType value is not 0x8100 from a non-Huawei device, a Huawei device changes the value to 0x8100 by default. This may result in traffic interruptions. To prevent this issue, configure Ethernet interfaces on the Huawei device to retain the original outer TPID EtherType value in received QinQ packets.

Context

Perform the following steps on a device on which QinQ tunneling is to be configured:

Procedure

Run system-view
The system view is displayed.
Run qinq protocol transport enable
Ethernet interfaces on the target device are configured to retain the original outer TPID EtherType value in received QinQ packets.

Verifying the QinQ Function Configuration

After configuring QinQ, check the detailed information about the outer virtual local area network (VLAN) and the protocol type of the outer VLAN tag.

Prerequisites

QinQ has been configured.

Procedure

Run the display vlan vlan-id command to check detailed information about the outer VLAN.
Run the display interface interface-type interface-number command to check the protocol type of the outer VLAN tag.

Configuring QinQ-based VLAN Tag Swapping

This section describes how to configure QinQ-based virtual local area network (VLAN) tag swapping. This configuration enables a device to swap the inner tag with the outer tag in a double-tagged packet. QinQ-based VLAN tag swapping applies only on double-tagged packets.

Usage Scenario

On the network shown in Figure 1-729, the user-end provider edge (UPE) is connected to multiple customer edges (CEs), and each packet that the UPE receives from the CEs carries two VLAN tags. The outer tag indicates the user, and the inner tag indicates the service. The UPE, however, can only forward packets whose outer tags indicate services and inner tags indicate users. To address this problem, the UPE needs to swap the inner tag with the outer tag in double-tagged packets.

In this situation, configure QinQ-based VLAN tag swapping on the UPE.

Figure 1-729 Networking for QinQ-based VLAN tag swapping

Pre-configuration Tasks

Before configuring QinQ-based VLAN tag swapping, configure user VLANs so that packets received by an interface or sub-interface carry two VLAN tags.

Procedure

Run system-view
The system view is displayed.
Run interfaceinterface-type interface-number
The view of the Ethernet interface on which QinQ-based VLAN tag swapping is to be configured is displayed.
Run vlan-swap enable
VLAN tag swapping is enabled.

After BA classification based on 802.1p values is configured on a VLAN-swap-capable interface, BA classification is implemented based on the 802.1p values of the swapped outer VLAN tag.
Run commit
The configuration is committed.

Checking the Configurations

After configuring QinQ-based VLAN tag swapping, check the configurations.

Run the display current-configuration command to check whether QinQ-based VLAN tag swapping is configured.

Configuring QinQ Mapping

QinQ mapping allows a device to map a user virtual local area network (VLAN) ID to a carrier VLAN ID, shielding different user VLAN IDs in packets.

Usage Scenario

QinQ mapping is deployed on Layer 2 edge devices to map user VLAN IDs in packets from users. The devices map the VLAN IDs in user packets to specified VLAN IDs before forwarding the packets to the public network. QinQ mapping is applicable (but not limited) to the following scenarios:

VLAN IDs deployed in new sites and old sites conflict, but the new sites need to communicate with the old sites.
VLAN ID planning at each site on the public network is different. As a result, the VLAN IDs conflict. These sites, however, do not need to communicate with each other.
VLAN IDs on both ends of the public network are different.

The NetEngine 8000 F supports the following QinQ mapping mode:

1 to 1 QinQ mapping

When a QinQ mapping-enabled sub-interface receives a single-tagged packet, the sub-interface replaces the VLAN ID in the packet with a specified VLAN ID.

After receiving a user-destined Layer 2 multicast packet, a QinQ stacking or QinQ mapping sub-interface that connects to a VPLS network removes the outer tag from the packet, adds the learned inner and outer tags to the packet, and then forwards the packet to a downstream device.

Pre-configuration Tasks

Before configuring QinQ mapping, plan user VLANs so that user packets carry one or two VLAN tags.

Configuring 1 to 1 QinQ Mapping

When a 1 to 1 QinQ mapping-enabled sub-interface receives a single-tagged packet, the sub-interface replaces the virtual local area network (VLAN) ID in the packet with a specified VLAN ID.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a CE-side sub-interface on a PE is displayed.
Run qinq mapping vid vid map-vlan vid map-vid [ vlan-group group-id ]
The sub-interface is configured to map the VLAN ID in a single-tagged packet to a specified VLAN ID.

The original VLAN ID in the single-tagged packet cannot be the same as the outer VLAN ID of packets on any other sub-interfaces.

If the qinq mapping vid command has been run on a sub-interface, any commands related to the QinQ stacking, QinQ termination, or dot1q termination function cannot be configured on the sub-interface.
Run commit
The configuration is committed.

Verifying the QinQ Mapping Configuration

After configuring QinQ mapping functions, verify the configuration.

Prerequisites

QinQ mapping has been configured.

Procedure

Run the display qinq information mapping [ interface interface-type interface-number [.subinterface-number ] ] command to check QinQ mapping information.

Configuring IP Services on a VLAN Tag Termination Sub-Interface

IP services include ,proxy Address Resolution Protocol (ARP) Virtual Router Redundancy Protocol (VRRP), and Dynamic Host Configuration Protocol (DHCP) services. You can deploy IP services on QinQ/dot1q VLAN tag termination sub-interfaces so that users in different VLANs can communicate. This ensures non-stop and reliable connections between the users and the network.

Usage Scenario

Table 1-379 shows the applications of VLAN tag termination sub-interfaces transmitting IP services.

Table 1-379 Application of VLAN tag termination sub-interfaces transmitting IP services

IP service	Application
Proxy ARP	A range of VLANs can connect to a network segment using VLAN tag termination sub-interfaces. However, if users on the same network segment belong to different VLANs, these users cannot communicate at Layer 2, and rely on IP forwarding at Layer 3 to communicate with each other. You can configure VLAN tag termination sub-interfaces to support proxy ARP so that users from different VLANs can communicate.
DHCP	If the DHCP client and DHCP server belong to different sub-nets, you need to deploy a DHCP relay agent to forward DHCP request packets from the client to the server so that the client can dynamically obtain IP addresses from the DHCP server. DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation.
VRRP	Users may require communication with certain networks at any time. Running VRRP on the VLAN tag termination sub-interfaces ensures reliable communication and provides an active/standby mechanism for dot1q or QinQ users.

Proxy ARP, VRRP and DHCP are different types of IP services. Deploy the desired service on the VLAN tag termination sub-interface.

Pre-configuration Tasks

Before you configure a VLAN tag termination sub-interface to transmit IP services, plan user VLANs so that packets received by the VLAN tag termination sub-interface carry one or two VLAN tags.

Configuring a VLAN Tag Termination Sub-interface

A virtual local area network (VLAN) tag termination sub-interface can be a dot1q VLAN tag termination sub-interface or a QinQ VLAN tag termination sub-interface. In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

Context

Applications of VLAN tag termination

Inter-VLAN communication
The VLAN technology is widely used because it allows Layer 2 packets of different users to be transmitted separately. With the VLAN technology, a physical LAN is divided into multiple logical broadcast domains (VLANs). Hosts in the same VLAN can communicate with each other at Layer 2, but hosts in different VLANs cannot. The Layer 3 routing technology is required for communication between hosts in different VLANs. The following interfaces can be used to implement inter-VLAN communication:
- Layer 3 Ethernet interfaces on routers
  
  Conventional Layer 3 Ethernet interfaces do not identify VLAN packets. After receiving VLAN packets, they consider the packets invalid and discard them. To implement inter-VLAN communication, create Ethernet sub-interfaces on an Ethernet interface and configure the sub-interfaces to remove tags from VLAN packets.
Communication between devices in the LAN and WAN

Most LAN packets carry VLAN tags. Certain wide area network (WAN) protocols, such as Point-to-Point Protocol (PPP), cannot identify VLAN packets. Before forwarding VLAN packets from a LAN to a WAN, a device needs to record the VLAN information carried in the VLAN packets and then remove the VLAN tags.

When a device receives packets, it adds the locally stored VLAN information to the packets and forwards them to VLAN users.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be dot1q.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Run either of the following commands:
  - To configure a dot1q VLAN tag termination sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command.
  - To configure a dot1q VLAN tag termination sub-interface and a matching policy for the sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] { 8021p { 8021p-value1 [ to val8021p2 ] } &<1-8> | dscp { valdscp1 [ to valdscp2 ] } &<1-10> | eth-type pppoe | default } [ vlan-group group-id ] command.
  - If you do not configure a matching policy, the dot1q VLAN tag termination sub-interface terminates the VLAN tags of packets carrying the specified VLAN ID. If you configure a matching policy, the sub-dot1q VLAN tag termination sub-interface terminates the VLAN tags of packets carrying the specified VLAN ID+802.1p value/DSCP value/EthType.
  - After the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command is run in the Ethernet sub-interface view, the specified VLAN range belongs to the sub-interface, and any VLAN ID in the VLAN range cannot be configured together with the 802.1p value/DSCP value/EthType on other sub-interfaces.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.

The recent version of the NetEngine 8000 F only supports a VLAN group works in single mode on the QinQ VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid qinq-termination [ local-switch | rt-protocol ] or encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be QinQ.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
5. Run encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be QinQ.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
6. Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the QinQ VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the sub-interface terminates double-tagged packets, and both inner and outer tags must be specific VLAN IDs.
7. Run commit
  
  The configuration is committed.

Configuring IP Services

After a VLAN tag termination sub-interface is configured, you need to configure IP services so that users can access IP services using the VLAN tag termination sub-interface.

Context

Sub-interfaces for VLAN tag termination cannot forward broadcast packets. They automatically discard broadcast packets they receive. To allow VLAN tag termination sub-interfaces to forward broadcast packets, run the arp broadcast enable command on the sub-interfaces to enable the ARP broadcast function.

When an IP packet is sent on a VLAN tag termination sub-interface without a corresponding ARP entry, the following may occur:

If the access device supports automatic forwarding of ARP packets, the packets are forwarded even if the ARP broadcast function is disabled on the VLAN tag termination sub-interface.
If the access device does not support automatic forwarding of ARP packets:
- The system discards the IP packet if the arp broadcast enable command is not configured on the VLAN tag termination sub-interface. In this case, the route with the VLAN tag termination sub-interface as the outbound interface is considered a black hole route.
- If the arp broadcast enable command is configured on the VLAN tag termination sub-interface, the system originates a tagged ARP broadcast packet and forwards it through the VLAN tag termination sub-interface.

When you enable or disable the ARP broadcast function on a VLAN tag termination sub-interface, the routing status of the sub-interface goes Down and then Up. This may result in route flapping on the entire network.

Configure proxy ARP

Configure proxy ARP on the device. For detailed configuration, see the chapter "ARP Configuration" in the HUAWEI NetEngine 8000 F1A series Configuration Guide - IP Services.
Configure DHCP

Configure DHCP on the device. For detailed configuration, see the chapter "DHCP Configuration" in the HUAWEI NetEngine 8000 F1A series Configuration Guide - IP Services.

On a large-scale network, if clients are connected to a server through other devices instead of being directly connected to the server through Ethernet interfaces, a DHCP server based on a global address pool needs to be configured so that the clients can dynamically obtain IP addresses from the router.

DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation.
Configure VRRP

Configure VRRP on the device. For detailed configuration information, see the chapter "VRRP Configuration" in the HUAWEI NetEngine 8000 F1A series Configuration Guide - Reliability.

When you configure a VRRP group on VLAN tag termination sub-interfaces, configure the sub-interfaces to add both inner and outer VLAN tags to VRRP packets to ensure that VRRP packets can be transmitted over VLANs. The master and backup devices can then negotiate with each other using VRRP packets. After you enable VRRP on a VLAN tag termination sub-interface, the sub-interface encapsulates or strips the VLAN tags of VRRP packets so that packets can be transmitted in VLANs.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of the VLAN tag termination sub-interface is displayed.

Configure a VLAN tag termination sub-interface to transmit IP services, as shown in Table 1-380.

Table 1-380 VLAN tag termination sub-interfaces transmitting IP services

Service Type	VLAN Tag Termination Sub-interface	Description
Proxy ARP	Run arp-proxy enable	-
DHCP relay	Run ip address ip-address { mask \| mask-length } An IP address is configured for the interface. Run ip relay address ip-address The IP address of the DHCP server is associated with a DHCP option. Run dhcp select relay DHCP relay is enabled.	-
VRRP	Run dot1q vrrp VRRP is enabled on the dot1q VLAN tag termination sub-interface. Run qinq vrrp VRRP is enabled on the QinQ VLAN tag termination sub-interface.	When you configure VRRP and static ARP on the dot1q VLAN tag termination sub-interface, the QinQ VLAN tag termination sub-interface, or the VLANIF interface, note the following: Do not configure the IP address that matches the static ARP entry on the interface as the VRRP virtual address. Do not configure the virtual address of the VRRP group where the interface resides as the IP address matching the static ARP entry on the interface. Otherwise, incorrect host routes are generated. This affects packet forwarding between devices.

Service Type

VLAN Tag Termination Sub-interface

Description

Proxy ARP

Run arp-proxy enable

DHCP relay

Run ip address ip-address { mask | mask-length }
An IP address is configured for the interface.
Run ip relay address ip-address
The IP address of the DHCP server is associated with a DHCP option.
Run dhcp select relay
DHCP relay is enabled.

VRRP

Run dot1q vrrp

VRRP is enabled on the dot1q VLAN tag termination sub-interface.
Run qinq vrrp

VRRP is enabled on the QinQ VLAN tag termination sub-interface.

When you configure VRRP and static ARP on the dot1q VLAN tag termination sub-interface, the QinQ VLAN tag termination sub-interface, or the VLANIF interface, note the following:

Do not configure the IP address that matches the static ARP entry on the interface as the VRRP virtual address.
Do not configure the virtual address of the VRRP group where the interface resides as the IP address matching the static ARP entry on the interface.

Otherwise, incorrect host routes are generated. This affects packet forwarding between devices.

(Optional) Run arp broadcast enable
ARP broadcast is enabled on the VLAN tag termination sub-interface.
Run commit
The configuration is committed.

Verifying the IP Service Configuration on the VLAN Tag Termination Sub-Interface

After configuring IP services on the VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The configurations of the VLAN tag termination sub-interface to transmit IP services are complete.

Procedure

Run the display dot1q information termination [ interface {interface-name |interface-type interface-number } ] command to check information about the dot1q VLAN tag termination sub-interface.
Run the display qinq information termination [ interface {interface-name|interface-type interface-number } ] command to check information about the QinQ VLAN tag termination sub-interface.
Run the display vrrp command to check information about the VRRP group.
Run the display dhcp relay address all command to check the DHCP configuration on the interface that has DHCP relay enabled.

Configuring a VLAN Tag Termination Sub-interface to Transmit the VPN Service

Virtual private network (VPN) services are classified into L2VPN services and L3VPN services. You can configure VLAN tag termination sub-interfaces on the PEs to connect VPNs to enable the interworking between the CEs and users.

Usage Scenario

Table 1-381 shows a typical application scenario in which VLAN tag termination sub-interfaces transmit VPN services.

Table 1-381 VLAN tag termination sub-interfaces transmitting VPN services

VPN Service	Application
L2VPN	When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication.
L3VPN	When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

Pre-configuration Tasks

Before you configure a VLAN tag termination sub-interface to transmit IP services, plan user VLANs so that packets received by the VLAN tag termination sub-interface carry one or two VLAN tags.

Configuring a VLAN Tag Termination Sub-interface

Context

An increasing number of QinQ encapsulation and termination modes have been developed to distinguish users or services and reduce the use of virtual local area network (VLAN) IDs. These QinQ encapsulation and termination modes enable carriers to implement refined operation.

Users may communicate over various types of Layer 2 virtual private networks (L2VPNs), such as a virtual private wire service (VPWS) or virtual private LAN service (VPLS). To achieve more flexibility in managing packets for these users, you can configure QinQ VLAN tag termination sub-interfaces on edge devices on the L2VPN and configure the attributes of the sub-interfaces to provide L2VPN access.

QinQ VLAN tag termination sub-interfaces can access VPWS or VPLS in symmetrical or asymmetrical mode. User packets are sent to the L2VPN in different modes after being processed by the PE, as described in Table 1-382 and Table 1-383.

Table 1-382 Packet processing on an inbound interface

Inbound Interface Type	VPWS/VPLS
Inbound Interface Type	Ethernet Encapsulation	VLAN Encapsulation
Symmetry mode	Removes the outer tag.	Keeps both inner and outer tags unchanged.
Asymmetrical mode	Removes both inner and outer tags.	Removes both inner and outer tags and adds another tag.

Table 1-383 Packet processing on an outbound interface

Outbound Interface Type	VPWS/VPLS
Outbound Interface Type	Ethernet Encapsulation	VLAN Encapsulation
Symmetry mode	Adds an outer tag.	Replaces the outer tag.
Asymmetrical mode	Adds two tags.	Removes the existing tag, and adds two tags.

To configure VLAN encapsulation or Ethernet encapsulation, run the encapsulation (VSI view) command.

VLAN encapsulation

Each Ethernet frame transmitted between CEs and PEs carries a VLAN tag called a Provider-Tag (P-tag). The tag is a service delimiter required by a carrier for user differentiation.
Ethernet encapsulation

Ethernet frames transmitted between CEs and PEs do not necessarily carry VLAN tags. If an Ethernet frame carries a VLAN tag, the tag is an internal VLAN tag called a User-Tag (U-tag) in user packets. The U-tag is carried in a packet before the packet is sent to a CE. The U-tag is used by the CE to identify the packet, but PEs do not recognize U-tags.

By default, the encapsulation type is VLAN.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be dot1q.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Run either of the following commands:
  - To configure a dot1q VLAN tag termination sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command.
  - To configure a dot1q VLAN tag termination sub-interface and a matching policy for the sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] { 8021p { 8021p-value1 [ to val8021p2 ] } &<1-8> | dscp { valdscp1 [ to valdscp2 ] } &<1-10> | eth-type pppoe | default } [ vlan-group group-id ] command.
  - If you do not configure a matching policy, the dot1q VLAN tag termination sub-interface terminates the VLAN tags of packets carrying the specified VLAN ID. If you configure a matching policy, the sub-dot1q VLAN tag termination sub-interface terminates the VLAN tags of packets carrying the specified VLAN ID+802.1p value/DSCP value/EthType.
  - After the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command is run in the Ethernet sub-interface view, the specified VLAN range belongs to the sub-interface, and any VLAN ID in the VLAN range cannot be configured together with the 802.1p value/DSCP value/EthType on other sub-interfaces.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid qinq-termination [ local-switch | rt-protocol ] or encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be QinQ.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
5. Run qinq termination l2 { asymmetry | symmetry [ user-mode ] }
  
  The termination mode is configured for the QinQ VLAN tag termination sub-interface that provides L2VPN access.
  
  This step takes effect only on QinQ VLAN tag termination sub-interfaces that provide L3VPN access. Therefore, before you configure a QinQ VLAN tag termination sub-interface that provides L2VPN access, configure the termination mode of the sub-interface.
  - If the qinq termination l2 symmetry command is used on a QinQ VLAN tag termination sub-interface, the sub-interface connects to the L2VPN in symmetrical mode. MAC address learning is performed only on the outer tags carried in packets. The sub-interface sends inner tags as part of the data to the peer. To configure QoS for inner tags, run the qinq termination l2 symmetry user-mode command.
  - If the qinq termination l2 asymmetry command is used on a QinQ VLAN tag termination sub-interface, the sub-interface connects to the L2VPN in asymmetrical mode. MAC address learning is performed on both inner and outer tags carried in packets. The sub-interface does not send inner tags as part of the data to the peer.
  - If the qinq termination l2 asymmetry command is run on a QinQ VLAN tag termination sub-interface, the sub-interface can terminate single inner and outer VLAN tags carried in packets but cannot terminate VLAN tag ranges.
6. Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the QinQ VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the sub-interface terminates double-tagged packets, and both inner and outer tags must be specific VLAN IDs.
7. Run commit
  
  The configuration is committed.

(Optional) Configuring a PW-Tag Action

This section describes how to configure a PW-tag action so that a PE changes the P-Tag of packets to be forwarded over a PW in tagged mode to ensure normal communication with non-Huawei devices on an L2VPN network.

Context

On the network shown in Figure 1-730, CE1 and CE2 are connected to the L2VPN network through PE sub-interfaces, PE1 and CE1 are Huawei devices, and PE2 and CE2 are non-Huawei devices.

When a PE transmits multiple services over one PW, the PE adds different P-Tags to packets of different services to isolate the packets on the L2VPN network. When the packets reach the sub-interfaces of another PE on the other end of the PW, each sub-interface accepts only those packets carrying the same P-Tag as that specified on the sub-interface.

However, because the P-Tags on PE1 and PE2 may be different, PE1 cannot communicate with PE2, and users from user networks connected to CE1 and CE2 cannot communicate with each other.

Figure 1-730 Networking for accessing an L2VPN through sub-interfaces

To address the problem, configure a PW-tag action on the user-side sub-interface of PE1. The PE1 sub-interface changes the P-Tag of packets to that on PE2 before forwarding the packets over the PW. This allows PE1 to communicate with PE2.

Table 1-384 provides the default P-Tag values and the P-Tag values after the PW-tag action.

Table 1-384 P-Tag values

Sub-Interface Type	Default P-Tag Value	P-Tag Value After the PW-Tag Action
Dot1q sub-interface	VLAN ID in a packet	New VLAN ID
Dot1q VLAN tag termination sub-interface	VLAN ID in a packet
QinQ VLAN tag termination sub-interface	Outer VLAN ID in a packet
QinQ stacking sub-interface	Minimum VLAN ID in the VLAN ID range specified on the sub-interface
QinQ mapping sub-interface	Fixed VLAN ID in the system

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a user-side sub-interface on a PE is displayed.
Run pw-tag { vlan-id | inner-vlan | outer-vlan } [ 8021p { 8021p-value | inner-vlan | outer-vlan } ]
A PW-tag action is configured so that the sub-interface changes the P-Tag of packets before forwarding the packets over the PW in tagged mode.
Run commit
The configuration is committed.

Configuring VPN Services

After you configure the VLAN tag termination sub-interface, you need to configure VPN services so as to enable users to communicate with each other over an L2VPN or an L3VPN.

Context

When an IP packet is sent on a VLAN tag termination sub-interface without a corresponding ARP entry, the following may occur:

If the access device supports automatic forwarding of ARP packets, the packets are forwarded even if the ARP broadcast function is disabled on the VLAN tag termination sub-interface.
If the access device does not support automatic forwarding of ARP packets:
- The system discards the IP packet if the arp broadcast enable command is not configured on the VLAN tag termination sub-interface. In this case, the route with the VLAN tag termination sub-interface as the outbound interface is considered a black hole route.
- If the arp broadcast enable command is configured on the VLAN tag termination sub-interface, the system originates a tagged ARP broadcast packet and forwards it through the VLAN tag termination sub-interface.

Configure L2VPN.

For configuration details, see "VPWS Configuration" and "VPLS Configuration" in HUAWEI NetEngine 8000 F1A series Configuration Guide - VPN.
Configure L3VPN.

For configuration details, see "BGP MPLS IP VPN Configuration" in HUAWEI NetEngine 8000 F1A series Configuration Guide - VPN.

Perform the following steps on the device that supports VPN services:

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of the VLAN tag termination sub-interface is displayed.

Configure a VLAN tag termination sub-interface to transmit VPN services, as shown in Table 1-385.

Table 1-385 VLAN tag termination sub-interfaces transmitting VPN services

Service Type	VLAN Tag Termination Sub-interface	Description
VPWS	Run the mpls l2vc { ip-address \| pw-template templateName } ^* pwId [ [ control-word [seq-number]\| no-control-word ] \|[ip-interworking \| ip-layer2] \| tunnel-policy policy-name [ { endpoint endpoint-address \| [ endpoint endpoint4-address ] } color color-value ] \| [ secondary \| bypass ]\| ignore-standby-state \| max-atm-cells max-atm-cell-value\| atm-pack-ovetime atm-pack-overtime-value \| transmit-atm-cells transmit-atm-cells-value ] ^* command to create a VPWS PW.	ip-interworking must be configured when Huawei devices interwork with each other over heterogeneous media. ip-layer2 must be configured when Huawei devices interwork with non-Huawei devices over heterogeneous media.
VPLS	Run the l2 binding vsi vsi-name command to bind the VLAN tag termination sub-interface to a VSI.	-
L3VPN	Run the ip binding vpn-instance vpn-instance-name command to bind the VLAN tag termination sub-interface to a VPN instance.	-

(Optional) Run arp broadcast enable
The ARP broadcast function is enabled on the VLAN tag termination sub-interface.

This step takes effect only on QinQ VLAN tag termination sub-interfaces that provide L3VPN access.
Run commit
The configuration is committed.

Verifying the VPN Service Configuration on the VLAN Tag Termination Sub-interface

After you configure VPN services on the VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The configurations of the VLAN tag termination sub-interface to transmit VPN services are complete.

Procedure

Run the display dot1q information termination [ interface {interface-name |interface-type interface-number } ] command to check information about the dot1q VLAN tag termination sub-interface.
Run the display qinq information termination [ interface {interface-name|interface-type interface-number } ] command to check information about the QinQ VLAN tag termination sub-interface.
View the configuration of the L2VPN in CCC mode.
- Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information about the CCC connection.
- Run the display l2vpn ccc-interface vc-type ccc [ up | down ] command to check information about the interface in the Up or Down state.
View the configuration of the L2VPN in LDP mode.
- Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command to check Martini VLL connection information on the local PE.
- Run the display mpls l2vc remote-info [ vc-id ] command to check information about the remote Martini MPLS L2VPN connection on the PE.
Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check VPN instance information.
Run the display bgp [ vpnv4 vpn-instance vpn-instance-name ] peer command to check information about BGP peers.

Configuring Multicast Services on a VLAN Tag Termination Sub-interface

With the wide use of multicast services on the Internet, you need to deploy sub-interfaces for QinQ/dot1q VLAN tag termination to process the user packets carrying a single tag or double tags for multicast services. In this manner, the UPE can maintain information about the outbound interface of multicast packets according to the established multicast forwarding table to ensure the normal communications between hosts and the multicast source.

Usage Scenario

On the network shown in Figure 1-731, Layer 2 multicast and Layer 3 multicast services are deployed.

Layer 2 multicast

After being bound to a Virtual Switching Instance (VSI) and enabled with Internet Group Management Protocol (IGMP) snooping, the sub-interface for QinQ/dot1q VLAN tag termination can listen IGMP messages exchanged between the multicast device and hosts, and therefore can learn which interfaces have multicast receivers. In this case, multicast packets are transmitted on the Layer 2 network in multicast mode rather than broadcast mode, and consequently received only by members of the multicast group.
Layer 3 multicast

Multicast protocol packets with double tags are sent from the UPE to the upper network. After the sub-interface for QinQ or dot1q VLAN tag termination is configured on the UPE, the UPE creates the forwarding table and the routing table. When receiving multicast protocol packets from hosts, the UPE can identify the packets and correctly forward the packets. Based on the established multicast forwarding table, the UPE can replicate and deliver multicast packets correctly.

Here, Layer 3 multicast mainly refers to IGMP.

Figure 1-731 Networking diagram of the multicast service on termination sub-interfaces

Pre-configuration Tasks

Before configuring the sub-interface for VLAN tag termination to access the multicast service, complete the following tasks:

Ensuring that devices are correctly connected and that the physical interfaces of each device are in the Up state.
Configuring the correct VLANs of users to enable the packets received by the sub-interface for VLAN tag termination to carry one or double tags.

Configuring a VLAN Tag Termination Sub-interface

A VLAN tag termination sub-interface can be a dot1q VLAN tag termination sub-interface or a QinQ VLAN tag termination sub-interface. In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be dot1q.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Run dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the dot1q VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the dot1q VLAN tag termination sub-interface terminates packets carrying a fixed-value VLAN tag.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of an Ethernet sub-interface on the user side of a PE is displayed
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the Ethernet sub-interface on the user side of the PE.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid qinq-termination [ local-switch | rt-protocol ] or encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The encapsulation type for a VLAN tag termination sub-interface is configured to be QinQ.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
5. Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the QinQ VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the QinQ VLAN tag termination sub-interface terminates packets carrying two fixed-value VLAN tags.
6. Run commit
  
  The configuration is committed.

Configuring Multicast Services

After a dot1q or QinQ VLAN tag termination sub-interface is configured, configure multicast services for the sub-interface so user hosts of this sub-interface can communicate with multicast sources.

Procedure

Run system-view
The system view is displayed.
Run interfaceinterface-type interface-number.subinterface-number
The dot1q or QinQ VLAN tag termination sub-interface view is displayed.

Perform the actions described in Table 1-386 to configure the multicast service for the dot1q or QinQ VLAN tag termination sub-interface.

Table 1-386 Configuring the multicast service for a dot1q or QinQ VLAN tag termination sub-interface

Service Type	Action	Remarks
Layer 2 multicast	Run igmp-snooping static-router-portvsivsi-name The dot1q or QinQ VLAN tag termination sub-interface is configured as a static router interface for a virtual switching instance (VSI).	The VSI specified in the command must have been bound to the dot1q or QinQ VLAN tag termination.
	Configure the dot1q or QinQ VLAN tag termination sub-interface as a static multicast member interface for a VSI: In the dot1q VLAN tag termination sub-interface view, run the l2-multicast static-group [ source-address source-address-ip-address ] group-address group-address dot1q vid vid vsi vsi-name command. In the QinQ VLAN tag termination sub-interface view, run the l2-multicast static-group [ source-address source-address-ip-address ] group-address group-address qinq pe-vid pe-vid ce-vid ce-id vsi vsi-name command.	The VSI specified in the command must have been bound to the dot1q or QinQ VLAN tag termination.
	Run igmp-snooping group-policy { acl-number \| acl-nameacl-name } [ versionnumber ] { qinqpe-vidpe-vidce-vidce-id1 [ toce-id2 ] \| dot1qvidvid1 [ tovid2 ] } The range of multicast groups that hosts can join is configured.	-
Layer 3 multicast	Run igmp static-groupStaticGrp [ inc-step-mask { IncStepGrpMask \| IncStepGrpMaskLen } numberTotalNum ] [ sourceSourceAddr ] { qinq pe-vid peVidValue ce-vid lowCeValue [ to highCeValue ] \| dot1qvid lowVidValue [ tohighVidValue] } The dot1q or QinQ VLAN tag termination sub-interface is added to a specific multicast group or multiple multicast groups in batches.	The static group with tag parameters can be configured only on the QinQ VLAN tag termination sub-interface or the dot1q VLAN tag termination sub-interface.

Run commit
The configuration is committed.

Verifying the Multicast Service Configuration on the VLAN Tag Termination Sub-interface

After configuring multicast services on a dot1q or QinQ VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The multicast services have been configured for a dot1q or QinQ VLAN tag termination sub-interface.

Procedure

Run the display dot1q information termination [ interface {interface-name | interface-type interface-number }] command to check information about the dot1q VLAN tag termination sub-interface.
Run the display qinq information termination [ interface {interface-name|interface-type interface-number } ] command to check information about the QinQ VLAN tag termination sub-interface.
Run the display igmp-snooping querier { vsi vsi-name | vlan vlan-id } command to check whether the IGMP querier is configured successfully.
Run the display igmp-snooping router-port { vsi vsi-name | vlan vlan-id } command to check whether a static router interface has been configured successfully.
Run the display igmp-snooping port-info [ { vlan vlan-id | vsi vsi-name } [ group-address group-address ] ] [slot slot-id] [ verbose ] command to check information about Layer 2 multicast interfaces.
Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] interface [ interface-type interface-number ] [ verbose ] command to check IGMP configurations on an interface.
Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] group [ group-address | interface interface-type interface-number ] [ verbose ] command to check information about IGMP multicast groups.

Configuring a QinQ VLAN Tag Termination Sub-Interface to Support 802.1p Mapping

After tags are terminated on the PEs, packets are sent to the carrier IP or MPLS network. To ensure inclusion of all the required Quality of Service (QoS) information in the packets, the 802.1p values in outer and inner tags must be mapped to the DSCP fields or the EXP fields.

Usage Scenario

QinQ VLAN tag termination can be used to implement the 802.1p and DSCP remark.

Relevant standards specify that the six bits of the Type of Service (ToS) field in an IPv4 packet header serve as the DiffServ Code Point (DSCP). DSCP provides a reference for differentiated services (DiffServ) and is used for QoS guarantee on the IP network.

With QinQ VLAN tag termination, a tagged packet is terminated on the PE before it is sent to the carrier IP network. In this scenario, you need to configure the mapping relationship between the 802.1p values in outer and inner tags and the DSCP field to ensure that all the required QoS information is included in the packet.
QinQ VLAN tag termination can be used to implement the 802.1p and EXP remark.

The EXP field in an MPLS packet is used for Class of Service (CoS) to implement traffic control on the gateway.

With QinQ VLAN tag termination, a tagged packet is terminated on the PE before it is sent to the carrier MPLS network. In this scenario, you need to configure the mapping relationship between the 802.1p values in outer and inner tags and the EXP field to ensure that all the required QoS information is included in the packet.

Pre-configuration Tasks

Before you configure a VLAN tag termination sub-interface to transmit IP services, plan user VLANs so that packets received by the VLAN tag termination sub-interface carry one or two VLAN tags.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of an Ethernet sub-interface on the user side of a PE is displayed.
Run encapsulation qinq-termination [ local-switch | rt-protocol ]
QinQ termination is configured as the encapsulation type of the sub-interface.
- Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
- Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ]
The VLAN tag termination function is configured for the QinQ VLAN tag termination sub-interface.

After you specify rt-protocol, the sub-interface terminates double-tagged packets, and both inner and outer tags must be specific VLAN IDs.
Run qinq 8021p-mode { trust { ce-vid-8021p | pe-vid-8021p } | precedence-value }

Verifying the Configuration

After a QinQ VLAN tag termination sub-interface is configured to support 802.1p mapping, run the display qinq information termination [ interface interface-type interface-number [ .subinterface-number ] ] command on the PE to check detailed configurations on the QinQ VLAN tag termination sub-interface.

Configuring an L2VPN Service on a QinQ Stacking Sub-interface

To enable a physical interface to provide multiple users with access to an L2VPN, configure a QinQ stacking sub-interface and bind it to a VSI or L2VC.

Usage Scenario

In early stages, QinQ was primarily deployed on CEs on Layer 2 networks. VLAN tags are added to packets using VLAN stacking and services are forwarded on Layer 2 networks based on the outer VLAN tags. QinQ stacking sub-interfaces are configured on PEs to identify user VLANs and add outer VLAN tags to Layer 2 frames.

This implementation, however, faces a problem that one physical interface cannot provide L2VPN access to multiple users. To address this problem, you can configure a QinQ stacking sub-interface and bind it to a VSI or L2VC to provide L2VPN access to multiple users.

QinQ stacking sub-interfaces cannot forward packets at Layer 2 and must be deployed with the L2VPN.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

Pre-configuration Tasks

Before you configure the QinQ stacking sub-interface provide L2VPN access, plan user VLANs properly so that packets received by QinQ stacking sub-interfaces carry one VLAN tag.

Configuring a QinQ Stacking Sub-interface

This section describes how to configure a QinQ stacking sub-interface on a provider edge (PE) to provide Layer 2 virtual private network (L2VPN) access so that the inner virtual local area network (VLAN) tags of user packets are transparently transmitted over a carrier network.

Context

After you enable QinQ stacking on an Ethernet sub-interface:

When the QinQ stacking sub-interface receives a packet, the sub-interface checks whether the VLAN ID or VLAN range in the VLAN tag of the packet matches the VLAN ID or VLAN range specified using the qinq stacking vid command. If they are consistent, the sub-interface adds an outer VLAN tag to the packet.
- If the packet carries one VLAN tag and the VLAN ID in the tag is in the VLAN range specified by low-ce-vid [ to high-ce-vid ] in the qinq stacking vid command, the sub-interface adds an outer VLAN tag to the packet. If the VLAN ID in the VLAN tag is not in the specified VLAN range, the sub-interface discards the packet.
- If the packet carries two VLAN tags and the VLAN ID in the outer tag is in the VLAN range specified by low-ce-vid [ to high-ce-vid ] in the qinq stacking vid command, the sub-interface adds another outer VLAN tag to the packet and forwards the packet. In this case, the inner VLAN tag is transmitted transparently. If the VLAN ID in the outer tag is not in the specified VLAN range, the sub-interface discards the packet.
- If the packet does not carry any VLAN tag, the sub-interface directly discards the packet.
When the QinQ stacking sub-interface sends a packet, the sub-interface strips the outer VLAN tag of the packet.

After you run the qinq stacking vid command on an Ethernet sub-interface:

If you do not run the qinq stacking pe-vid pe-vid command to specify an outer VLAN tag to be added to packets, the Ethernet sub-interface will add a default outer VLAN tag to received packets.

The default outer VLAN tag is assigned by the device and cannot be modified.
If you run the qinq stacking pe-vid pe-vid command to specify an outer VLAN tag to be added to packets, the Ethernet sub-interface will add the specified outer VLAN tag to received packets.

Before you run the qinq stacking pe-vid pe-vid command on an Ethernet sub-interface, you must run the qinq stacking vid command on the sub-interface. Otherwise, the QinQ stacking function does not take effect.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of an Ethernet sub-interface on the user side of a PE is displayed.
(Optional) Create a user VLAN group.
1. Run vlan-group group-id
  
  A user VLAN group is created.
2. Run group mode { single | multiple }
  
  The working mode of the VLAN group is configured.
  - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
  - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
3. Run quit
  
  Return to the view of the Ethernet sub-interface on the user side of the PE.
Configuring a VLAN group allows you to achieve the following purposes:
- Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
- View statistics about QinQ packets to check whether a device is functioning properly.
Run either of the following commands:
- To configure a QinQ stacking sub-interface, run the qinq stacking vid low-ce-vid [ to high-ce-vid ] [ vlan-group group-id ] command.
- To configure a QinQ stacking sub-interface and a matching policy for the sub-interface based on VLAN ID+8021.p value/DSCP value/EthType, run the qinq stacking vid low-ce-vid [ to high-ce-vid ] { 8021p { val8021p1 [ to val8021p2 ] } &<1-8> | dscp { dvaldscp1 [ to valdscp2 ] } &<1-10> | eth-type eth-type-value | default } [ vlan-group group-id ] command.
- If you have run the vlan-group command to configure a VLAN group on the sub-interface, specify vlan-group in the preceding commands.
- If you have not run the vlan-group command to configure a VLAN group on the sub-interface, do not specify vlan-group in the preceding commands.
- If you configure QinQ stacking on Ethernet sub-interfaces on an interface, specify a unique ce-vid value for each sub-interface.
- If you do not configure a matching policy, the QinQ stacking sub-interface adds an outer VLAN tag to packets based on the specified VLAN range. If you configure a matching policy, the QinQ stacking sub-interface adds an outer VLAN tag to packets based on the specified VLAN ID+802.1p value/DSCP value/EthType.
(Optional) Run qinq stacking pe-vid pe-vid
The QinQ stacking sub-interface is enabled to add a specified outer VLAN tag to received packets.

If you skip this step, the QinQ stacking sub-interface will add a system-assigned outer VLAN tag to received packets.
Run commit
The configuration is committed.

(Optional) Configuring a PW-tag Action

Context

On the network shown in Figure 1-732, CE1 and CE2 are connected to the L2VPN network through PE sub-interfaces, PE1 and CE1 are Huawei devices, and PE2 and CE2 are non-Huawei devices.

However, because the P-Tags on PE1 and PE2 may be different, PE1 cannot communicate with PE2, and users from user networks connected to CE1 and CE2 cannot communicate with each other.

Figure 1-732 Networking for accessing an L2VPN through sub-interfaces

Table 1-387 provides the default P-Tag values and the P-Tag values after the PW-tag action.

Table 1-387 P-Tag values

Sub-Interface Type	Default P-Tag Value	P-Tag Value After the PW-Tag Action
Dot1q sub-interface	VLAN ID in a packet	New VLAN ID
Dot1q VLAN tag termination sub-interface	VLAN ID in a packet
QinQ VLAN tag termination sub-interface	Outer VLAN ID in a packet
QinQ stacking sub-interface	Minimum VLAN ID in the VLAN ID range specified on the sub-interface
QinQ mapping sub-interface	Fixed VLAN ID in the system

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a user-side sub-interface on a PE is displayed.
Run pw-tag { vlan-id | inner-vlan | outer-vlan } [ 8021p { 8021p-value | inner-vlan | outer-vlan } ]
A PW-tag action is configured so that the sub-interface changes the P-Tag of packets before forwarding the packets over the PW in tagged mode.
Run commit
The configuration is committed.

Configuring an L2VPN Service

Layer 2 virtual private network (L2VPN) services include virtual private wire service (VPWS) and virtual private LAN service (VPLS). After you configure QinQ stacking sub-interfaces, bind these sub-interfaces to a virtual switching instance (VSI) or VPWS instance to provide L2VPN access for users.

Context

For configuration details, see "VPWS Configuration" and "VPLS Configuration" in HUAWEI NetEngine 8000 F1A series Configuration Guide - VPN.

If you use QinQ stacking sub-interfaces to provide VPWS access, the number of VLANs on both ends of the VPWS must be the same.

Perform the following steps on the device on which an L2VPN is to be configured.

Procedure

Run system-view
The system view is displayed.
Run interfaceinterface-type interface-number.subinterface-number
The view of the QinQ stacking sub-interface is displayed.

Configure a QinQ stacking sub-interface to provide L2VPN access, as shown in Table 1-388.

Table 1-388 QinQ stacking sub-interfaces providing L2VPN access

Service Type	QinQ Stacking Sub-interface Configuration	Description
VPWS	Run the mpls l2vc { ip-address \| pw-template pw-template-name } ^* vc-id [ tunnel-policy policy-name [ { endpoint endpoint-address \| [ endpoint endpoint4-address ] } color color-value ] \| [ control-word \| no-control-word ] \| [ raw \| tagged \| ip-interworking \| ip-layer2 ] \| access-port \| [secondary \| bypass] ignore-standby-state ] ^* command to create a VPWS PW.	ip-interworking must be configured when Huawei devices interwork with each other over heterogeneous media. ip-layer2 must be configured when Huawei devices interwork with non-Huawei devices over heterogeneous media.
VPLS	Run the l2 binding vsi vsi-name command to bind the VLAN tag termination sub-interface to a VSI.	-

Run the qinq stacking client-mode single command to enable a QinQ stacking sub-interface to learn the MAC address mapped to the smallest VLAN ID among all VLAN ranges that share the MAC address when the sub-interface accesses VPLS services.

Run commit
The configuration is committed.

Verifying the L2VPN Service Configuration on the QinQ Stacking Sub-interface

After you configure an L2VPN service on a QinQ stacking sub-interface, verify the configuration

Prerequisites

The configurations of the sub-interface for QinQ stacking to provide L2VPN access are complete.

Procedure

Run the display qinq information stacking [ interface interface-type interface-number [ .subinterface-number ] ] command to check QinQ stacking information.
View the configuration of the L2VPN in CCC mode.
- Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information about the CCC connection.
- Run the display l2vpn ccc-interface vc-type ccc [ up | down ] command to check information about the interface in the Up or Down state.
View the configuration of the L2VPN in LDP mode.
- Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command to check Martini VLL connection information on the local PE.
- Run the display mpls l2vc remote-info [ vc-id ] command to check information about the remote Martini MPLS L2VPN connection on the PE.

Configuring a User-VLAN Sub-interface on a BRAS's User-Side Interface

When VLAN users access an IP core network through a BRAS, the IP core network cannot identify users' VLAN tags. In this situation, configure a user-VLAN sub-interface on the BRAS to remove the VLAN tags carried in the user VLAN packets.

Context

Usage Scenario

If a Layer 2 network connects to an IP core network through a BRAS, it is recommended that you configure a dot1q or QinQ VLAN tag termination sub-interface on the BRAS to remove the VLAN tags before sending user VLAN packets to the IP core network.

If a Layer 3 network connects to an IP core network through a BRAS, it is recommended that you configure a dot1q or QinQ VLAN tag termination sub-interface on the BRAS to remove the VLAN tags before sending user VLAN packets to the IP core network.

This configuration applies only to user access scenarios.

Pre-configuration Tasks

Before configuring a user-VLAN sub-interface on a BRAS's user-side interface, correctly plan the user VLANs to allow the user packets that the sub-interface receives to carry one or two VLAN tags.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a BRAS's user-side Ethernet sub-interface is displayed.
(Optional) Run qinq-vlan pe-vlan description description
A description is configured for the outer VLAN tag carried in double-tagged packets received by the sub-interface.

When users send double-tagged VLAN packets to go online in batches through a BRAS, with the outer VLAN tag representing services and the inner VLAN tag representing users, to learn only the users' service information, configure a description for the outer VLAN tag carried in double-tagged packets received by the BRAS's user-side sub-interface.
Run user-vlan { start-vlan-id [ end-vlan-id ] | [ cevlan ] } qinq { start-pe-vlan [ end-pe-vlan ] | [ pevlan ] }
The Ethernet sub-interface is configured as a user-VLAN sub-interfaced, and the user-VLAN view is displayed.
(Optional) Run vlan vlan-id [ qinq pe-vlan ] description description
A description is configured for the user VLAN.

In VS mode, this command is supported only by the admin VS.

To learn not only online service information but also user information, configure a user VLAN description.

Verifying the Configuration

Run the display sub-interface interface-type interface-number pevlan pevlan [ cevlan cevlan ] command to check information about user-VLAN sub-interfaces.

In VS mode, this command is supported only by the admin VS.

Maintaining QinQ

This section describes how to clear statistics about QinQ packets and monitor the QinQ operating status.

Clearing QinQ Statistics

Clear existing QinQ packet statistics before you are able to collect statistics about QinQ packets for a specific period of time.

Context

Statistics about QinQ packets cannot be restored after they are cleared. Exercise caution before you decide to clear the statistics.

To clear QinQ packet statistics, run the following command in the user view:

Procedure

Run the reset qinq statistics interface interface-type interface-number.subinterface-number vlan-group group-id command to clear statistics about QinQ packets on the specified interface.

Monitoring the QinQ Operating Status

This section describes how to monitor the QinQ operating status.

Context

In routine maintenance, you can run the commands in any view to view the QinQ operating status.

Procedure

Run the display qinq statistics [interface {interface-type interface-number | interface-name } [ vlan-group group-id ] ] [ verbose ] command to view QinQ packet statistics.
The statistic enable command must be run in the VLAN group view to enable the function of collecting QinQ packet statistics based on VLAN groups before you run the display qinq statistics command to view the number of QinQ packets sent or received by the sub-interface. These statistics help you deploy QoS policies or locate problems. If the function of collecting QinQ packet statistics is disabled, you cannot view the statistics on the sub-interface.
Run the display vlan-group [ group-id ] interface { interface-name |interface-type interface-number } command to view the number of VLAN groups and the configurations of each VLAN group on the specified interface.

Configuration Examples for QinQ

This section describes the QinQ application details, including networking requirements, configuration roadmap, and data preparation, and provides related configuration files.

Example for Configuring a QinQ Tunnel

After a QinQ tunnel is configured, an enterprise can set up its own VLANs based on the QinQ tunnel. Branch offices of the same enterprise in different locations can communicate with each other through the VLANs. Offices of different enterprises cannot communicate.

Networking Requirements

On the network shown in Figure 1-733, enterprise 1 has three offices and enterprise 2 has two offices. Offices of enterprise 1 and enterprise 2 are connected to PE1 and PE2 on the carrier network. Enterprise 1 and enterprise 2 each have a VLAN.

You can configure QinQ tunnels on PE1 and PE2 so that offices of the same enterprise (enterprise 1 or enterprise 2) can interwork but offices of different enterprises (enterprise 1 and enterprise 2) cannot interwork.

Figure 1-733 Typical networking of the QinQ tunnel

Interfaces 1 through 4 in this example represent GE 0/1/1, GE 0/1/9, GE 0/1/17, and GE 0/1/25, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure an outer VLAN tag for QinQ packets.
Configure a QinQ tunnel so that packets exchanged between VLAN users become double-tagged QinQ packets after passing through the QinQ tunnel.
Configure interfaces on which the QinQ tunnel is not enabled. These interfaces allow packets carrying the specified outer VLAN tags to pass through so that users from different VLANs of the same enterprise can communicate.

Data Preparation

To complete the configuration, you need the following data:

Number of the interface connecting to enterprise 1 and enterprise 2
Outer VLAN tag of the QinQ interface connecting to enterprise 1 and enterprise 2

Procedure

Create an outer VLAN tag for the QinQ tunnel.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] vlan batch 10 20

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] vlan batch 10 20

Configure the QinQ tunnel function.

# Configure PE1.

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] portswitch

[*PE1-GigabitEthernet0/1/1] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/1/1] port default vlan 10

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] interface gigabitethernet 0/1/9

[*PE1-GigabitEthernet0/1/9] portswitch

[*PE1-GigabitEthernet0/1/9] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/1/9] port default vlan 20

[*PE1-GigabitEthernet0/1/9] undo shutdown

[*PE1-GigabitEthernet0/1/9] quit

[*PE1] interface gigabitethernet 0/1/17

[*PE1-GigabitEthernet0/1/17] portswitch

[*PE1-GigabitEthernet0/1/17] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/1/17] port default vlan 10

[*PE1-GigabitEthernet0/1/17] undo shutdown

[*PE1-GigabitEthernet0/1/17] quit

[*PE1] commit

# Configure PE2.

[*PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] portswitch

[*PE2-GigabitEthernet0/1/1] port link-type dot1q-tunnel

[*PE2-GigabitEthernet0/1/1] port default vlan 20

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] interface gigabitethernet 0/1/9

[*PE2-GigabitEthernet0/1/9] portswitch

[*PE2-GigabitEthernet0/1/9] port link-type dot1q-tunnel

[*PE2-GigabitEthernet0/1/9] port default vlan 10

[*PE2-GigabitEthernet0/1/9] undo shutdown

[*PE2-GigabitEthernet0/1/9] quit

[*PE2] commit

Configure other interfaces.

# Allow the packets from VLAN 10 and VLAN 20 to pass through GE 0/1/25 on PE1.

[~PE1] interface gigabitethernet 0/1/25

[*PE1-GigabitEthernet0/1/25] portswitch

[*PE1-GigabitEthernet0/1/25] port link-type trunk

[*PE1-GigabitEthernet0/1/25] port trunk allow-pass vlan 10 20

[*PE1-GigabitEthernet0/1/25] undo shutdown

[*PE1-GigabitEthernet0/1/25] quit

[*PE1] commit

# Allow the packets from VLAN 10 and VLAN 20 to pass through GE 0/1/17 on PE2.

[~PE2] interface gigabitethernet 0/1/17

[*PE2-GigabitEthernet0/1/17] portswitch

[*PE2-GigabitEthernet0/1/17] port link-type trunk

[*PE2-GigabitEthernet0/1/17] port trunk allow-pass vlan 10 20

[*PE2-GigabitEthernet0/1/17] undo shutdown

[*PE2-GigabitEthernet0/1/17] quit

[*PE2] commit

Verify that the following conditions are true:
Hosts in different offices on the same VLAN of enterprise 1 can ping each other.

Hosts in different offices on the same VLAN of enterprise 2 can ping each other.

Host of enterprise 1 cannot ping hosts of enterprise 2.

Configuration Files

Configuration file of PE1

#
 sysname PE1
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/1/9
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 20
#
interface GigabitEthernet0/1/17
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/1/25
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Configuration file of PE2

#
 sysname PE2
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 20
#
interface GigabitEthernet0/1/9
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/1/17
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Example for Configuring the Compatibility of the EtherType Field in the Outer Tag of QinQ Packets

This example shows how to configure the EtherType of an outer tag to enable the interworking between Huawei devices and non-Huawei devices.

Networking Requirements

PE2 is a Huawei device. PE1 and CE1 are non-Huawei devices. CE2 is a non-Huawei switch. Figure 1-734 shows the networking and the EtherType value in the outer tag of QinQ packets. In this situation, you can enable Huawei devices and non-Huawei devices to interwork with each other by setting the EtherType value in the outer tag of the interface on PE2.

Figure 1-734 Networking of configuring the compatibility of the EtherType field in the outer tag of QinQ packets

Interfaces 1 and 2 in this example represent GE 0/1/0 and GE 0/1/8, respectively.

Device Name	EtherType Value in the Outer Tag	Device Name	EtherType Value in the Outer Tag
PE1	0x9100	CE1	0x8100
PE2	0x8100	CE2	0x9100

Configuration Roadmap

The configuration roadmap is as follows:

Configure interfaces of PE2 that connect to the CEs as Layer 2 interfaces to ensure Layer 2 connectivity.
Configure the compatibility of the EtherType field in the outer tag of QinQ packets on the interface of PE2 that connects to CE2 to ensure that Huawei devices and non-Huawei devices can interwork with each other.

Data Preparation

To complete the configuration, you need the following data:

Name of the physical interface through which PE2 connects to non-Huawei devices
EtherType encapsulation value in the outer tag of non-Huawei devices

Procedure

Configure interfaces of PE2 that connect to the CEs as Layer 2 interfaces.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface gigabitethernet 0/1/0

[*PE2-GigabitEthernet0/1/0] portswitch

[*PE2-GigabitEthernet0/1/0] undo shutdown

[*PE2-GigabitEthernet0/1/0] quit

[*PE2] interface gigabitethernet 0/1/8

[*PE2-GigabitEthernet0/1/8] portswitch

[*PE2-GigabitEthernet0/1/8] undo shutdown

[*PE2-GigabitEthernet0/1/8] quit

[*PE2] commit

Configure the compatibility of the EtherType field in the outer tag of QinQ packets on the interface of PE2 that connects to CE2.

[~PE2] interface gigabitethernet 0/1/0

[*PE2-GigabitEthernet0/1/0] qinq protocol 9100

[*PE2-GigabitEthernet0/1/0] quit

[*PE2] commit

Verify the configuration.

After the configurations are complete, run the display this command on GE 0/1/0 of PE2. The command output shows the information of the interface.

Run the display interface interface-type interface-number command on PE2. The command output shows the EtherType value of the outer VLAN tag.

[~PE2] display interface gigabitethernet0/1/0

GigabitEthernet0/1/0 current state : UP
Line protocol current state : UP (ifindex: 12)
Description: HUAWEI, Quidway Series, GigabitEthernet0/1/0 Interface
Switch Port, TPID : 9100(Hex), The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc12-3456
Last physical up time   : 0000-00-00 00:00:00
Last physical down time : 0000-00-00 00:00:00
Current system time: 2012-06-28 03:59:19
Statistics last cleared:never
    Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
    Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
    Input peak rate 0 bits/sec, Record time: -
    Output peak rate 0 bits/sec, Record time: -
    Input: 0 bytes, 0 packets
    Output: 0 bytes, 0 packets
    Input:
      Unicast: 0 packets, Multicast: 0 packets
      Broadcast: 0 packets, JumboOctets: 0 packets
      CRC: 0 packets, Symbol: 0 packets
      Overrun: 0 packets, InRangeLength: 0 packets
      LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
      Fragment: 0 packets, Undersized Frame: 0 packets
      RxPause: 0 packets
    Output:
      Unicast: 0 packets, Multicast: 0 packets
      Broadcast: 0 packets, JumboOctets: 0 packets
      Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
      System: 0 packets, Overruns: 0 packets
      TxPause: 0 packets
    Last 300 seconds input utility rate:  0.00%
    Last 300 seconds output utility rate: 0.00%

Configuration file of PE2

#
 sysname PE2
#
interface GigabitEthernet 0/1/0
 portswitch
 undo shutdown
 qinq protocol 9100
#
interface GigabitEthernet 0/1/8
 portswitch
 undo shutdown
#
return

Example for Configuring Selective QinQ

This section provides an example for configuring selective QinQ. Selective QinQ is an extension to QinQ tunneling and is more flexible. When receiving packets, a selective QinQ-enabled interface adds different outer tags depending on the inner tags of the packets.

Networking Requirements

On the network shown in Figure 1-735, company 1 and company 2 each have multiple offices.

VLANs 2 to 500 are used on the network of company 1.
VLANs 501 to 4094 are used on the network of company 2.
GE 0/1/1 on Device A receives packets from different VLANs of company 1 and company 2.

Selective QinQ is required on GE 0/1/1 of Device A on the carrier network so that the office networks of each company can communicate with each other, but the office networks of different companies cannot.

Figure 1-735 Networking of selective QinQ

Interfaces 1 through 3 in this example represent GE 0/1/1, GE 0/1/9, and GE 0/1/17, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure default outer VLAN IDs.
Configure selective QinQ on Layer 2 interfaces so that the interfaces can add different outer VLAN tags to packets.
Configure other selective QinQ-incapable interfaces to forward packets carrying a specific outer VLAN ID.

Data Preparation

To complete the configuration, you need the following data:

Numbers of interfaces connected to companies 1 and 2
Outer VLAN IDs that Layer 2 interfaces on Device A and Device B add to packets from different companies

Procedure

Create default outer VLAN IDs on Layer 2 interfaces.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 20

[*DeviceB] commit

Configure selective QinQ on Layer 2 interfaces.

# Configure Device A.

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port vlan-stacking vlan 2 to 500 stack-vlan 10

[*DeviceA-GigabitEthernet0/1/1] port vlan-stacking vlan 1000 to 2000 stack-vlan 20

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/9

[*DeviceA-GigabitEthernet0/1/9] portswitch

[*DeviceA-GigabitEthernet0/1/9] port vlan-stacking vlan 100 to 500 stack-vlan 10

[*DeviceA-GigabitEthernet0/1/9] undo shutdown

[*DeviceA-GigabitEthernet0/1/9] commit

[~DeviceA-GigabitEthernet0/1/9] quit

# Configure Device B.

[~DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port vlan-stacking vlan 1000 to 4094 stack-vlan 20

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/9

[*DeviceB-GigabitEthernet0/1/9] portswitch

[*DeviceB-GigabitEthernet0/1/9] port vlan-stacking vlan 501 to 2500 stack-vlan 20

[*DeviceB-GigabitEthernet0/1/9] undo shutdown

[*DeviceB-GigabitEthernet0/1/9] commit

[~DeviceB-GigabitEthernet0/1/9] quit

Configure other interfaces.

# Configure GE 0/1/17 on Device A to forward packets carrying outer VLAN ID 20.

[*DeviceA] interface gigabitethernet 0/1/17

[*DeviceA-GigabitEthernet0/1/17] portswitch

[*DeviceA-GigabitEthernet0/1/17] port trunk allow-pass vlan 20

[*DeviceA-GigabitEthernet0/1/17] undo shutdown

[*DeviceA-GigabitEthernet0/1/17] commit

[~DeviceA-GigabitEthernet0/1/17] quit

# Configure GE 0/1/17 on Device B to forward packets carrying outer VLAN ID 20.

[*DeviceB] interface gigabitethernet 0/1/17

[*DeviceB-GigabitEthernet0/1/17] portswitch

[*DeviceB-GigabitEthernet0/1/17] port trunk allow-pass vlan 20

[*DeviceB-GigabitEthernet0/1/17] undo shutdown

[*DeviceB-GigabitEthernet0/1/17] commit

[~DeviceB-GigabitEthernet0/1/17] quit

Verify the configuration.
Hosts in different offices but the same VLAN can ping each other in company 1.

Hosts in different offices but the same VLAN can ping each other in company 2.

Hosts in company 1 and hosts in company 2 cannot ping each other.

Configuration Files

Device A configuration file

 sysname DeviceA

 vlan batch 10 20

interface GigabitEthernet0/1/1

 undo shutdown

 portswitch

 port vlan-stacking vlan 2 to 500 stack-vlan 10

 port vlan-stacking vlan 1000 to 2000 stack-vlan 20

interface GigabitEthernet0/1/9

 undo shutdown

 portswitch

 port vlan-stacking vlan 100 to 500 stack-vlan 10

interface GigabitEthernet0/1/17

 undo shutdown

 portswitch

 port trunk allow-pass vlan 20

return

Device B configuration file

 sysname DeviceB

 vlan batch 20

interface GigabitEthernet0/1/1

 undo shutdown

 portswitch

 port vlan-stacking vlan 1000 to 4094 stack-vlan 20

interface GigabitEthernet0/1/9

 undo shutdown

 portswitch

 port vlan-stacking vlan 500 to 2500 stack-vlan 20

interface GigabitEthernet0/1/17

 undo shutdown

 portswitch

 port trunk allow-pass vlan 20

return

Example for Configuring QinQ-based VLAN Tag Swapping for VPLS Access

After QinQ-based VLAN tag swapping is configured on an interface, the interface swaps the inner and outer virtual local area network (VLAN) tags carried in double-tagged packets when receiving them. This configuration does not take effect on single-tagged packets.

Networking Requirements

On the network shown in Figure 1-736, customers 1 to 1000 have three types of services: unicast high-speed Internet (HSI) services, unicast Voice over Internet Protocol (VoIP) services, and multicast Internet Protocol television (IPTV) services.

When customers 1 to 1000 send both unicast and multicast services, CE1 and CE2 add to packets inner VLAN tags indicating the services, and the CE3 adds to packets outer VLAN tags indicating the users. QinQ-based VLAN tag swapping needs to be configured on the user-end provider edge (UPE) to swap the inner and outer VLAN tags in double-tagged packets. As such, the outer tags in the packets indicate the services, and the inner tags indicate the users.

QinQ VLAN tag termination sub-interfaces are created on the UPE based on double VLAN tags in packets from the CE3, and the UPE provides virtual private LAN service (VPLS) access to services through these sub-interfaces.

Provide VPLS access for unicast services.

Create subinterface 1 on the UPE to provide VPLS access for HSI and VoIP services (in service VLAN 7) and configure subinterface 1 as a QinQ VLAN tag termination sub-interface in symmetrical mode to terminate the outer VLAN tags of packets. The inner VLAN tags of packets are transparently transmitted to the provider edge-access aggregation gateway (PE-AGG).

Configure subinterface 1 on the PE-AGG as a QinQ VLAN tag termination sub-interface in symmetrical mode. After receiving packets from the UPE, subinterface 1 adds a VLAN tag to each packet and forwards the packets to the Service point of presence (POP).
Provide VPLS access for multicast services.

Create subinterface 2 on the UPE to provide VPLS access for IPTV services (in service VLAN 8) and configure subinterface 2 as a QinQ VLAN tag termination sub-interface in asymmetrical mode to terminate the inner and outer VLAN tags of packets.

Configure subinterface 2 on the PE-AGG as a QinQ VLAN tag termination sub-interface in asymmetrical mode. After receiving packets from the UPE, subinterface 2 adds the service VLAN 8 to the packets and forwards the packets to the Service POP.

Figure 1-736 Networking for configuring QinQ-based VLAN tag swapping for VPLS access

Interfaces 1 through 4, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/4, GE 0/1/1.1, and GE 0/1/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure QinQ on the CE3 so that each packet received by the UPE carries two VLAN tags.
Configure an Interior Gateway Protocol (IGP) on the Multiprotocol Label Switching (MPLS) backbone network.
Enable basic MPLS functions and Label Distribution Protocol (LDP) on the MPLS backbone network.
Enable MPLS Layer 2 virtual private network (L2VPN).
Create virtual switching instances (VSIs) and specify LDP as the signaling protocol of the VSIs.
Configure VLAN tag swapping and QinQ VLAN tag termination sub-interfaces, and bind the AC interfaces to the VSIs.
Enable Internet Group Management Protocol (IGMP) snooping and configure the static router interface and querier.

Data Preparation

To complete the configuration, you need the following data:

IDs of inner VLAN tags that CE1 and CE2 add to packets to distinguish services
IDs of outer VLAN tags that the CE3 adds to packets to distinguish users
IP address of each interface
VSI ID (which is the same on the UPE and PE-AGG)
MPLS LSR IDs on the UPE and PE-AGG
VSI names on the UPE and PE-AGG
Names of interfaces bound to the VSIs

Procedure

Configure QinQ so that the CE3 sends double-tagged packets to the UPE.

Switch Layer 3 interfaces to Layer 2 interfaces.

If the interface is a Layer 2 interface, skip this step.

# Configure CE1.

<*HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] portswitch

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/2

[*CE1-GigabitEthernet0/1/2] portswitch

[*CE1-GigabitEthernet0/1/2] undo shutdown

[*CE1-GigabitEthernet0/1/2] quit

[*CE1] interface gigabitethernet 0/1/3

[*CE1-GigabitEthernet0/1/3] portswitch

[*CE1-GigabitEthernet0/1/3] undo shutdown

[*CE1-GigabitEthernet0/1/3] quit

[*CE1] interface gigabitethernet 0/1/4

[*CE1-GigabitEthernet0/1/4] portswitch

[*CE1-GigabitEthernet0/1/4] undo shutdown

[*CE1-GigabitEthernet0/1/4] commit

[~CE1-GigabitEthernet0/1/4] quit

The configurations on CE2 are the same as those on CE1. For details, see "Configuration Files."

# Configure CE3.

<*HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] portswitch

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/2

[*CE3-GigabitEthernet0/1/2] portswitch

[*CE3-GigabitEthernet0/1/2] undo shutdown

[*CE3-GigabitEthernet0/1/2] quit

[*CE3] interface gigabitethernet 0/1/3

[*CE3-GigabitEthernet0/1/3] portswitch

[*CE3-GigabitEthernet0/1/3] undo shutdown

[*CE3-GigabitEthernet0/1/3] commit

[~CE3-GigabitEthernet0/1/3] quit

Configure QinQ.

# Configure CE1.

[*CE1] vlan 7

[*CE1-vlan7] port gigabitethernet 0/1/1

[*CE1-vlan7] port gigabitethernet 0/1/2

[*CE1-vlan7] quit

[*CE1] vlan 8

[*CE1-vlan8] port gigabitethernet 0/1/3

[*CE1-vlan8] quit

[*CE1] interface gigabitethernet 0/1/4

[*CE1-GigabitEthernet0/1/4] port trunk allow-pass vlan 7 8

[*CE1-GigabitEthernet0/1/4] undo shutdown

[*CE1-GigabitEthernet0/1/4] commit

[~CE1-GigabitEthernet0/1/4] quit

The configurations on CE2 are the same as those on CE1. For details, see "Configuration Files."

# Configure CE3.

[*CE3] vlan batch 1 to 1000

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] port vlan-stacking vlan 7 to 8 stack-vlan 1

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/2

[*CE3-GigabitEthernet0/1/2] port vlan-stacking vlan 7 to 8 stack-vlan 1000

[*CE3-GigabitEthernet0/1/2] quit

[*CE3] interface gigabitethernet 0/1/3

[*CE3-GigabitEthernet0/1/3] port trunk allow-pass vlan 1 to 1000

[*CE3-GigabitEthernet0/1/3] commit

[~CE3-GigabitEthernet0/1/3] quit

Configure an IGP on the MPLS backbone network. In this example, Intermediate System to Intermediate System (IS-IS) is used.

Configure IP addresses for interfaces on the UPE and PE-AGG. Enable IS-IS on the loopback interfaces of these devices.

# Configure the UPE.

<*HUAWEI> system-view

[~HUAWEI] sysname UPE

[*HUAWEI] commit

[~UPE] isis 1

[*UPE-isis-1] is-level level-2

[*UPE-isis-1] network-entity 49.0010.0100.1009.00

[*UPE-isis-1] quit

[*UPE] interface loopback 1

[*UPE-LoopBack1] ip address 1.1.1.9 32

[*UPE-LoopBack1] isis enable 1

[*UPE-LoopBack1] quit

[*UPE] interface gigabitethernet 0/1/2

[*UPE-GigabitEthernet0/1/2] ip address 10.1.1.1 30

[*UPE-GigabitEthernet0/1/2] isis enable 1

[*UPE-GigabitEthernet0/1/2] commit

[~UPE-GigabitEthernet0/1/2] quit

# Configure the PE-AGG.

<*HUAWEI> system-view

[~HUAWEI] sysname PE-AGG

[*HUAWEI] commit

[~PE-AGG] isis 1

[*PE-AGG-isis-1] is-level level-2

[*PE-AGG-isis-1] network-entity 49.0020.0200.1009.00

[*PE-AGG-isis-1] quit

[*PE-AGG] interface LoopBack 1

[*PE-AGG-LoopBack1] ip address 2.2.2.9 32

[*PE-AGG-LoopBack1] isis enable 1

[*PE-AGG-LoopBack1] quit

[*PE-AGG] interface gigabitethernet 0/1/1

[*PE-AGG-GigabitEthernet0/1/1] ip address 10.1.1.2 30

[*PE-AGG-GigabitEthernet0/1/1] isis enable 1

[*PE-AGG-GigabitEthernet0/1/1] commit

[~PE-AGG-GigabitEthernet0/1/1] quit

After the configurations are complete, IS-IS discovers IP routes to Loopback 1 of the UPE and PE-AGG, and the two devices can ping each other.

The command output on the UPE is provided as an example.

<UPE> display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table: Public
         Destinations : 9       Routes : 9

Destination/Mask    Proto    Pre  Cost   Flags NextHop         Interface

        1.1.1.9/32  Direct   0    0      D   127.0.0.1       LoopBack1
        2.2.2.9/32  ISIS-L2  15   10     D   20.1.1.2        GigabitEthernet0/1/1
       10.1.1.0/24  Direct   0    0      D   10.1.1.1        GigabitEthernet0/1/2
       10.1.1.1/32  Direct   0    0      D   127.0.0.1       GigabitEthernet0/1/2
     10.1.1.255/32  Direct   0    0      D   127.0.0.1       GigabitEthernet0/1/2
       127.0.0.0/8  Direct   0    0      D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct   0    0      D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct   0    0      D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct   0    0      D   127.0.0.1       InLoopBack0

Enable basic MPLS functions and LDP on the MPLS backbone network.

# Configure the UPE.

[*UPE] mpls lsr-id 1.1.1.9

[*UPE] mpls

[*UPE-mpls] quit

[*UPE] mpls ldp

[*UPE-mpls-ldp] quit

[*UPE] interface gigabitethernet 0/1/2

[*UPE-GigabitEthernet0/1/2] mpls

[*UPE-GigabitEthernet0/1/2] mpls ldp

[*UPE-GigabitEthernet0/1/2] commit

[~UPE-GigabitEthernet0/1/2] quit

# Configure the PE-AGG.

[*PE-AGG] mpls lsr-id 2.2.2.9

[*PE-AGG] mpls

[*PE2-mpls] quit

[*PE-AGG] mpls ldp

[*PE-AGG-mpls-ldp] quit

[*PE-AGG] interface gigabitethernet 0/1/1

[*PE-AGG-GigabitEthernet0/1/1] mpls

[*PE-AGG-GigabitEthernet0/1/1] mpls ldp

[*PE-AGG-GigabitEthernet0/1/1] commit

[~PE-AGG-GigabitEthernet0/1/1] quit

After the configurations are complete, an LDP session is established between the UPE and PE-AGG. The display mpls ldp session command output shows that the Status field is Operational.

The command output on the UPE is provided as an example.

<UPE> display mpls ldp session

LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
 ------------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:20:19  4880/4880
 ------------------------------------------------------------------------------
 TOTAL: 1 session(s) Found.

If the UPE and PE-AGG are not directly connected, run the mpls ldp remote-peer and remote-ip commands on these devices to establish a remote LDP session between them.

Enable MPLS L2VPN on the UPE and PE-AGG.
# Configure the UPE.
```
[*UPE] mpls l2vpn
```
# Configure the PE-AGG.
```
[*PE-AGG] mpls l2vpn
```

Create VSIs and specify LDP as the signaling protocol of VSIs.

# Configure the UPE.

[*UPE] vsi ldp1 static

[*UPE-vsi-ldp1] pwsignal ldp

[*UPE-vsi-ldp1-ldp] vsi-id 1

[*UPE-vsi-ldp1-ldp] peer 2.2.2.9

[*UPE-vsi-ldp1-ldp] quit

[*UPE-vsi-ldp1] quit

[*UPE] vsi ldp2 static

[*UPE-vsi-ldp2] pwsignal ldp

[*UPE-vsi-ldp2-ldp] vsi-id 2

[*UPE-vsi-ldp2-ldp] peer 2.2.2.9

[*UPE-vsi-ldp2-ldp] commit

[~UPE-vsi-ldp2-ldp] quit

[*UPE-vsi-ldp2] quit

# Configure the PE-AGG.

[*PE-AGG] vsi ldp1 static

[*PE-AGG-vsi-ldp1] pwsignal ldp

[*PE-AGG-vsi-ldp1-ldp] vsi-id 1

[*PE-AGG-vsi-ldp1-ldp] peer 1.1.1.9

[*PE-AGG-vsi-ldp1-ldp] quit

[*PE-AGG-vsi-ldp1] quit

[*PE-AGG] vsi ldp2 static

[*PE-AGG-vsi-ldp2] pwsignal ldp

[*PE-AGG-vsi-ldp2-ldp] vsi-id 2

[*PE-AGG-vsi-ldp2-ldp] peer 1.1.1.9

[*PE-AGG-vsi-ldp2-ldp] commit

[~PE-AGG-vsi-ldp2-ldp] quit

[*PE-AGG-vsi-ldp12] quit

Configure VLAN tag swapping on AC interfaces on the UPE, configure QinQ VLAN tag termination sub-interfaces on the UPE and PE-AGG, and bind the VSIs to the AC sub-interfaces on the UPE and PE-AGG.

# Configure the UPE.

[*UPE] interface gigabitethernet 0/1/1

[*UPE-GigabitEthernet0/1/1] vlan-swap enable

[*UPE-GigabitEthernet0/1/1] quit

[*UPE] interface gigabitethernet 0/1/1.1

[*UPE-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*UPE-GigabitEthernet0/1/1.1] qinq termination l2 symmetry

[*UPE-GigabitEthernet0/1/1.1] qinq termination pe-vid 7 ce-vid 1 to 1000

[*UPE-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*UPE-GigabitEthernet0/1/1.1] quit

[*UPE] interface gigabitethernet 0/1/1.2

[*UPE-GigabitEthernet0/1/1.2] control-vid 2 qinq-termination

[*UPE-GigabitEthernet0/1/1.2] qinq termination pe-vid 8 ce-vid 1 to 1000

[*UPE-GigabitEthernet0/1/1.2] l2 binding vsi ldp2

[*UPE-GigabitEthernet0/1/1.2] commit

[~UPE-GigabitEthernet0/1/1.2] quit

# Configure the PE-AGG.

[*PE-AGG] interface gigabitethernet 0/1/2.1

[*PE-AGG-GigabitEthernet0/1/2.1] control-vid 1 qinq-termination

[*PE-AGG-GigabitEthernet0/1/2.1] qinq termination l2 symmetry

[*PE-AGG-GigabitEthernet0/1/2.1] qinq termination pe-vid 7 ce-vid 1 to 1000

[*PE-AGG-GigabitEthernet0/1/2.1] l2 binding vsi ldp1

[*PE-AGG-GigabitEthernet0/1/2.1] undo shutdown

[*PE-AGG-GigabitEthernet0/1/2.1] quit

[*PE-AGG] interface gigabitethernet 0/1/2.2

[*PE-AGG-GigabitEthernet0/1/2.2] control-vid 2 qinq-termination

[*PE-AGG-GigabitEthernet0/1/2.2] qinq termination pe-vid 8 ce-vid 1 to 1000

[*PE-AGG-GigabitEthernet0/1/2.2] l2 binding vsi ldp2

[*PE-AGG-GigabitEthernet0/1/2.2] undo shutdown

[*PE-AGG-GigabitEthernet0/1/2.2] commit

[~PE-AGG-GigabitEthernet0/1/2.2] quit

When you run the qinq termination command on sub-interfaces of the same interface and specify the same pe-vid value on the sub-interfaces, the ce-vid value ranges must be different.

After the configurations are complete, run the display vsi name ldp1 verbose command on the UPE. The command output shows that a PW has been established between the VSI named ldp1 and the PE-AGG and that VSI is Up.

[UPE] display vsi name ldp1 verbose

***VSI Name               : ldp1
    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 0
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    Flow Label             : disable
    Create Time            : 0 days, 20 hours, 41 minutes, 53 seconds
    VSI State              : up
    Resource Status        : Valid

    VSI ID                 : 1
   *Peer Router ID         : 2.2.2.9
    VC Label               : 211968
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x90014010
    Broadcast Tunnel ID    : 0x90014010
    Broad BackupTunnel ID  : 0x0
    CKey                   : 11
    NKey                   : 10
    StpEnable              : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/1/1.1
    State                  : up
    Last Up Time           : 2010/01/07 13:54:52
    Total Up Time          : 0 days, 3 hours, 6 minutes, 23 seconds

   **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 211968
    Remote VC Label        : 294912
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x90014010
    Broadcast Tunnel ID    : 0x90014010
    Broad BackupTunnel ID  : 0x0
    Ckey                   : 0xb
    Nkey                   : 0xa
    Main PW Token          : 0x90014010
    Slave PW Token         : 0x0
    Tnl Type               : LSP
    OutInterface           : GigabitEthernet0/1/2
    Backup OutInterface    :
    Stp Enable             : 0
    Mac Flapping           : 0
    Flow Label             : disable
    PW Last Up Time        : 2010/01/07 14:09:29
    PW Total Up Time       : 0 days, 20 hours, 22 minutes, 2 seconds

Enable IGMP snooping on the UPE and PE-AGG, configure the PW on the UPE as a static router interface, and configure a querier on the PE-AGG. Use default values for parameters of the querier.

# Configure the UPE.

[*UPE] igmp-snooping enable

[*UPE] vsi ldp2

[*UPE-vsi-ldp2] igmp-snooping enable

[*UPE-vsi-ldp2] igmp-snooping version 3

[*UPE-vsi-ldp2] igmp-snooping static-router-port remote-peer 2.2.2.9

[*UPE-vsi-ldp2] commit

[~UPE-vsi-ldp2] quit

# Configure the PE-AGG.

[*PE-AGG] igmp-snooping enable

[*PE-AGG] vsi ldp2

[*PE-AGG-vsi-ldp2] igmp-snooping enable

[*PE-AGG-vsi-ldp2] igmp-snooping version 3

[*PE-AGG-vsi-ldp2] quit

[*PE-AGG] igmp-snooping send-query enable

[*PE-AGG] vsi ldp2

[*PE-AGG-vsi-ldp2] igmp-snooping querier enable

[*PE-AGG-vsi-ldp2] commit

[~PE-AGG-vsi-ldp2] quit

Run the display igmp-snooping querier vsi command on the PE-AGG to check whether the querier is configured. If the command output shows Enable, the querier is enabled for VSI ldp2.

<PE-AGG> display igmp-snooping querier vsi ldp2

VSI                             Querier-state Querier
---------------------------------------------------------------
ldp2                             Enable       192.168.0.1

Run the display igmp-snooping router-port vsi command on the UPE to check whether the static router interface is configured. If the command output shows STATIC, the PW (2.2.2.9/2) interface is a static router interface.

<UPE> display igmp-snooping router-port vsi ldp2

Port Name                       UpTime        Expires       Flags
 ---------------------------------------------------------------------
 VSI ldp2, 1 router-port(s)
 PW(2.2.2.9/2)                   01:18:10      --            STATIC | DYNAMIC

Verify the configuration.

Run the display qinq information termination interface command to view information about QinQ VLAN tag termination sub-interfaces.

The command output on the UPE is provided as an example.

<UPE> display qinq information termination interface gigabitethernet 0/1/1

GigabitEthernet0/1/1.1
    VSI bound
    qinq termination l2 symmetry
    Total QinQ Num: 1
      qinq termination pe-vid 7 ce-vid 1
    Total vlan-group Num: 0
    control-vid 1 qinq-termination
    vlan-swap enable
GigabitEthernet0/1/1.2
    VSI bound
    Total QinQ Num: 1
      qinq termination pe-vid 7 ce-vid 1
    Total vlan-group Num: 0
    control-vid 1 qinq-termination
    vlan-swap enable

After a member joins a multicast group, run the display igmp-snooping port-info command on the UPE to view information about the Layer 2 multicast interface.

<UPE> display igmp-snooping port-info

 -----------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -----------------------------------------------------------------------
 VSI ldp2, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)  GE0/1/1.2(PE:8/CE:1000)       -D-
                                                    1 port(s)
 -----------------------------------------------------------------------

<UPE> display igmp-snooping port-info slot 1

 -----------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -----------------------------------------------------------------------
 VSI ldp2, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)                                P--
                                      GE0/1/111.2(PE:8/CE:1000)       -D-
                                                1 port(s) include
 -----------------------------------------------------------------------

Configuration Files

CE1 configuration file

 sysname CE1

 vlan batch 7 to 8

 interface gigabitethernet 0/1/1

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/1/2

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/1/3

 undo shutdown

 portswitch

 port default vlan 8

 interface gigabitethernet 0/1/4

 undo shutdown

 portswitch

 port trunk allow-pass vlan 7 to 8

 return

CE2 configuration file

 sysname CE2

 vlan batch 7 to 8

 interface gigabitethernet 0/1/1

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/1/2

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/1/3

 undo shutdown

 portswitch

 port default vlan 8

 interface gigabitethernet 0/1/4

 undo shutdown

 portswitch

 port trunk allow-pass vlan 7 to 8

 return

CE3 configuration file

 sysname CE3

 vlan batch 1 to 1000

 interface gigabitethernet 0/1/1

 undo shutdown

 portswitch

 port vlan-stacking vlan 7 to 8 stack-vlan 1

 interface gigabitethernet 0/1/2

 undo shutdown

 portswitch

 port vlan-stacking vlan 7 to 8 stack-vlan 1000

 interface gigabitethernet 0/1/3

 undo shutdown

 portswitch

 port trunk allow-pass vlan 1 to 1000

 return

UPE configuration file

 sysname UPE

 igmp-snooping enable

 mpls lsr-id 1.1.1.9

 mpls

 mpls l2vpn

 vsi ldp1 static

  pwsignal ldp

   vsi-id 1

   peer 2.2.2.9

 vsi ldp2 static

  pwsignal ldp

   vsi-id 2

   peer 2.2.2.9

  admin-vsi

   igmp-snooping enable

   igmp-snooping version 3

   igmp-snooping static-router-port remote-peer 2.2.2.9

 mpls ldp

 isis 1

  is-level level-2

  network-entity 49.0010.0100.1009.00

 interface GigabitEthernet0/1/1

 undo shutdown

 interface GigabitEthernet0/1/1.1

 encapsulation qinq-termination

 vlan-swap enable

 qinq termination l2 symmetry

 qinq termination pe-vid 7 ce-vid 1 to 1000

 l2 binding vsi ldp1

 interface GigabitEthernet0/1/1.2

 encapsulation qinq-termination

 vlan-swap enable

 qinq termination pe-vid 8 ce-vid 1 to 1000

 l2 binding vsi ldp2

 interface GigabitEthernet0/1/2

  undo shutdown

  ip address 10.1.1.1 255.255.255.252

  isis enable 1

  mpls

  mpls ldp

 interface LoopBack1

  ip address 1.1.1.9 255.255.255.255

  isis enable 1

return

PE-AGG configuration file

 sysname PE-AGG

 igmp-snooping enable

 igmp-snooping send-query enable

 mpls lsr-id 2.2.2.9

 mpls

 mpls l2vpn

 vsi ldp1 static

  pwsignal ldp

   vsi-id 1

   peer 1.1.1.9

 vsi ldp2 static

  pwsignal ldp

   vsi-id 2

   peer 1.1.1.9

   igmp-snooping enable

   igmp-snooping version 3

   igmp-snooping querier enable

 mpls ldp

 isis 1

  is-level level-2

  network-entity 49.0020.0200.1009.00

 interface GigabitEthernet0/1/1

  undo shutdown

  ip address 10.1.1.2 255.255.255.252

  isis enable 1

  mpls

  mpls ldp

 interface GigabitEthernet0/1/2

  undo shutdown

 interface GigabitEthernet0/1/2.1

  encapsulation qinq-termination

  qinq termination l2 symmetry

  qinq termination pe-vid 7 ce-vid 1 to 1000

  l2 binding vsi ldp1

 interface GigabitEthernet0/1/2.2

  encapsulation qinq-termination

  qinq termination pe-vid 8 ce-vid 1 to 1000

  l2 binding vsi ldp2

 interface LoopBack1

  ip address 2.2.2.9 255.255.255.255

  isis enable 1

 return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface to Support Proxy ARP

This example shows how to configure a dot1q VLAN tag termination sub-interface to support proxy ARP, and how to enable the interworking between users who are on the same network segment but different VLANs.

Networking Requirements

A range of VLANs can connect to a network segment using VLAN tag termination sub-interfaces. However, if users on the same network segment belong to different VLANs, these users cannot communicate at Layer 2, and rely on IP forwarding at Layer 3 to communicate with each other. You can configure VLAN tag termination sub-interfaces to support proxy ARP so that users from different VLANs can communicate.

On the network shown in Figure 1-737, the PE connects to the CE through an Ethernet sub-interface; the CE connects to both PC1 and PC2. PC1 and PC2 belong to the same network segment but are on different VLANs. PC1 and PC2 have no default gateway. In this situation, you can configure GE 0/1/1.1 on the PE as a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface so that PC1 and PC2 can communicate.

Figure 1-737 Typical networking for configuring the dot1q VLAN tag termination sub-interface to support proxy ARP

Interfaces 1 through 3 and subinterface 1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Create VLANs on the CE and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on the CE and allows packets from user VLANs to pass through.
Configure a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface on the PE so that users from different VLANs can communicate.

Data Preparation

To complete the configuration, you need the following data:

User VLAN IDs
User IP addresses
Names of interfaces that connect the PE and the CE
Names of interfaces that connect the CE to PCs

Procedure

Create a VLAN on the CE and associate a Layer 2 interface with the VLAN.

<HUAWEI> system-view

[~HUAWEI] sysname CE

[*HUAWEI] commit

[~CE] vlan batch 10 20

[*CE] interface gigabitethernet 0/1/1

[*CE-GigabitEthernet0/1/1] portswitch

[*CE-GigabitEthernet0/1/1] undo shutdown

[*CE-GigabitEthernet0/1/1] port link-type access

[*CE-GigabitEthernet0/1/1] port default vlan 10

[*CE-GigabitEthernet0/1/1] quit

[*CE] interface gigabitethernet 0/1/2

[*CE-GigabitEthernet0/1/2] portswitch

[*CE-GigabitEthernet0/1/2] undo shutdown

[*CE-GigabitEthernet0/1/2] port link-type access

[*CE-GigabitEthernet0/1/2] port default vlan 20

[*CE-GigabitEthernet0/1/2] quit

[*CE] commit

Configure Layer 2 forwarding on the CE.

[~CE] interface gigabitethernet 0/1/3

[*CE-GigabitEthernet0/1/3] portswitch

[*CE-GigabitEthernet0/1/3] undo shutdown

[*CE-GigabitEthernet0/1/3] port link-type trunk

[*CE-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*CE-GigabitEthernet0/1/3] quit

[*CE] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface on the PE.

<HUAWEI> system-view

[~HUAWEI] sysname PE

[*HUAWEI] commit

[~PE] interface gigabitethernet 0/1/1

[*PE-GigabitEthernet0/1/1] undo shutdown

[*PE] interface gigabitethernet 0/1/1.1

[*PE-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE-GigabitEthernet0/1/1.1] dot1q termination vid 20

[*PE-GigabitEthernet0/1/1.1] ip address 10.1.1.254 24

[*PE-GigabitEthernet0/1/1.1] arp-proxy inter-sub-vlan-proxy enable

[*PE-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE-GigabitEthernet0/1/1.1] quit

[*PE] commit

Verify the configuration.
Verify that PC1 can ping PC2.

Check the ARP table on PC1. If the MAC address of PC2 is the MAC address of GE 0/1/1 on the PE, the configuration is correct.

Configuration Files

PE configuration file

#
 sysname PE
#
interface GigabitEthernet0/1/1
 undo shutdown
interface GigabitEthernet0/1/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 ip address 10.1.1.254 255.255.255.0
 arp-proxy inter-sub-vlan-proxy enable
 arp broadcast enable
#
return

CE configuration file

#
 sysname CE
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Support Proxy ARP

This example shows how to configure a QinQ VLAN tag termination sub-interface to support proxy ARP, and how to enable the interworking between users who are on the same network segment but different VLANs.

Networking Requirements

On the network shown in Figure 1-738, PE1 connects to CE3 through an Ethernet sub-interface; CE3 connects to CE1 and CE2 which connects to both PC1 and PC2. PC1 and PC2 belong to the same network segment but are on different VLANs. PC1 and PC2 have no default gateway. Packets received by PE1 carry two VLAN tags. In this situation, you can configure GE 0/1/1.1 on PE1 as a QinQ VLAN tag termination sub-interface and enable proxy ARP on the sub-interface so that PC1 and PC2 can communicate.

Figure 1-738 Typical networking for configuring the QinQ VLAN tag termination sub-interface to support proxy ARP

Interfaces 1 through 3 and sub-interface1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Create VLANs on CE1 and CE2 and determine the VLANs to which users belong.
Configure the QinQ function on CE3 so that packets sent by CE3 to PE1 carry two VLAN tags.
Configure a QinQ VLAN tag termination sub-interface and enable proxy ARP on the sub-interface on PE1 so that users from different VLANs can communicate.

Data Preparation

To complete the configuration, you need the following data:

VLAN ID in the outer VLAN tag of packets sent by CE3 to PE1.
User VLAN IDs
User IP addresses
Names of interfaces that connect the CEs
Names of interfaces that connect PE1 and CE3
Names of interfaces that connect CE1 and CE2 to PCs

Procedure

Create VLANs on CE1 and CE2 and associate the VLANs with Layer 2 interfaces.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 10

[*CE1-vlan10] quit

[*CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] portswitch

[*CE1-GigabitEthernet0/1/1] port link-type access

[*CE1-GigabitEthernet0/1/1] port default vlan 10

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/2

[*CE1-GigabitEthernet0/1/2] undo shutdown

[*CE1-GigabitEthernet0/1/2] portswitch

[*CE1-GigabitEthernet0/1/2] port link-type trunk

[*CE1-GigabitEthernet0/1/2] port trunk allow-pass vlan 10

[*CE1-GigabitEthernet0/1/2] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 20

[*CE2-vlan20] quit

[*CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] portswitch

[*CE2-GigabitEthernet0/1/1] port link-type access

[*CE2-GigabitEthernet0/1/1] port default vlan 20

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] interface gigabitethernet 0/1/2

[*CE2-GigabitEthernet0/1/2] undo shutdown

[*CE2-GigabitEthernet0/1/2] portswitch

[*CE2-GigabitEthernet0/1/2] port link-type trunk

[*CE2-GigabitEthernet0/1/2] port trunk allow-pass vlan 20

[*CE2-GigabitEthernet0/1/2] quit

[*CE2] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure the QinQ function on CE3 so that packets sent by CE3 to PE1 carry two VLAN tags.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 100

[*CE3-vlan100] quit

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] portswitch

[*CE3-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/2

[*CE3-GigabitEthernet0/1/2] undo shutdown

[*CE3-GigabitEthernet0/1/2] portswitch

[*CE3-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*CE3-GigabitEthernet0/1/2] quit

[*CE3] interface gigabitethernet 0/1/3

[*CE3-GigabitEthernet0/1/3] undo shutdown

[*CE3-GigabitEthernet0/1/3] portswitch

[*CE3-GigabitEthernet0/1/3] port link-type trunk

[*CE3-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*CE3-GigabitEthernet0/1/3] quit

If the device does not support the port vlan-stacking command, you can run the port link-type dot1q-tunnel command and port default vlan command on the interface to configure the QinQ function.

Configure a QinQ VLAN tag termination sub-interface and enable proxy ARP on PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/1.1] ip address 10.1.1.254 24

[*PE1-GigabitEthernet0/1/1.1] arp-proxy inter-sub-vlan-proxy enable

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

When you run the qinq termination command on an interface, if the pe-vid values are the same, make sure that the ce-vid values of the sub-interfaces are different.

Verify the configuration.
Verify that PC1 can ping PC2.

Check the ARP table on PC1. If the MAC address of PC1 is the MAC address of GE 0/1/1 on PE1, the configuration is correct.

Configuration Files

Configuration file of PE1

#
 sysname PE1
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 ip address 10.1.1.254 255.255.255.0
 arp-proxy inter-sub-vlan-proxy enable
 arp broadcast enable
#
return

Configuration file of CE3

#
 sysname CE3
#
 vlan batch 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

Configuration file of CE1

#
 sysname CE1
#
 vlan batch 10
#
interface GigabitEthernet0/1/1
 undo shutdown
 portswitch
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Configuration file of CE2

#
 sysname CE2
#
 vlan batch 20
#
interface GigabitEthernet0/1/1
 undo shutdown
 portswitch
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/2
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 20
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface to Support VRRP

This section describes how to ensure reliable and stable connections between users that send single-tagged packets and the network after you have configured a dot1q VLAN tag termination sub-interface to support Virtual Router Redundancy Protocol (VRRP).

Networking Requirements

To use VLAN tag termination sub-interfaces to access a network with a VRRP group, enable VRRP on the sub-interfaces. VRRP can ensure reliable and stable communication between users on the network.

On the network shown in Figure 1-739, packets sent by the CE to PEs carry one VLAN tag, and the CE is connected to the network with VRRP groups through the dot1q VLAN tag termination sub-interfaces on the PEs. To ensure that a master/backup VRRP switchover is performed immediately after a fault occurs on the network and that the communication is reliable and stable, configure dot1q VLAN tag termination sub-interfaces to support VRRP.

Figure 1-739 Typical networking for configuring the dot1q VLAN tag termination sub-interface to support VRRP

Interfaces 1 through 3 and subinterface1.1 in this example are GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Create a VLAN on the CE and determine the VLAN to which users belong.
Configure the Layer 2 forwarding function on the CE so that packets sent by the CE to PE1 and PE2 carry one VLAN tag.
Deploy a VRRP group on PE1 and PE2 to implement link backup.
Configure dot1q VLAN tag termination sub-interfaces on PE1 and PE2 to support VRRP to ensure stable network communication.
Configure a routing protocol on PE1, PE2, and PE3 to ensure that users can access the carrier network on the Layer 3 network.

Open Shortest Path First (OSPF) is used in this example.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect PE1 and PE2 to the CE.
Names and IP addresses of the interfaces that connect PE1 and PE2
ID and virtual IP address of the VRRP group and priorities of PE1 and PE2 in the VRRP group

Procedure

Create a VLAN on the CE and associate a Layer 2 interface with the VLAN.

<HUAWEI> system-view

[~HUAWEI] sysname CE

[*HUAWEI] commit

[~CE] vlan 10

[*CE-vlan10] quit

[*CE] interface gigabitethernet 0/1/1

[*CE-GigabitEthernet0/1/1] undo shutdown

[*CE-GigabitEthernet0/1/1] portswitch

[*CE-GigabitEthernet0/1/1] port link-type access

[*CE-GigabitEthernet0/1/1] port default vlan 10

[*CE-GigabitEthernet0/1/1] quit

[*CE] commit

Configure Layer 2 forwarding on the CE.

[~CE] interface gigabitethernet 0/1/2

[*CE-GigabitEthernet0/1/2] undo shutdown

[*CE-GigabitEthernet0/1/2] portswitch

[*CE-GigabitEthernet0/1/2] port link-type trunk

[*CE-GigabitEthernet0/1/2] port trunk allow-pass vlan 10

[*CE-GigabitEthernet0/1/2] quit

[*CE] commit

[~CE] interface gigabitethernet 0/1/3

[*CE-GigabitEthernet0/1/3] undo shutdown

[*CE-GigabitEthernet0/1/3] portswitch

[*CE-GigabitEthernet0/1/3] port link-type trunk

[*CE-GigabitEthernet0/1/3] port trunk allow-pass vlan 10

[*CE-GigabitEthernet0/1/3] quit

[*CE] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a VRRP group.

# Create VRRP group 1 on PE1, set the default gateway address to 10.1.1.111, and set the VRRP priority to 120 so that PE1 is the Master in VRRP group 1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 virtual-ip 10.1.1.111

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 priority 120

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 preempt-mode timer delay 20
[*PE1-GigabitEthernet0/1/1.1] vrrp recover-delay 20

[*PE1-GigabitEthernet0/1/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

# Create VRRP group 1 on PE2, and set the default gateway address to 10.1.1.111. (Do not set the VRRP priority so that PE2 is the Backup in VRRP group 1.)

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] vrrp vrid 1 virtual-ip 10.1.1.111

[*PE2-GigabitEthernet0/1/1.1] ip address 10.1.1.2 24

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

Configure dot1q VLAN tag termination sub-interfaces to support VRRP.

# Configure PE1.

[~PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE1-GigabitEthernet0/1/1.1] dot1q vrrp vid 10

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE2-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE2-GigabitEthernet0/1/1.1] dot1q vrrp vid 10

[*PE2-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

Run the display vrrp command on PE1. The command output shows that PE1 is in the master state. Run the display vrrp command on PE2. The command output shows that PE2 is in the Backup state. The command outputs are as follows:

[~PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:54:17

[~PE2] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Backup
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.2
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 09:56:11

Run the shutdown command on GE 0/1/1.1 of PE1 to simulate a situation in which PE1 is faulty.

Run the display vrrp command on PE1 and PE2 respectively to view the VRRP status. The command outputs show that the VRRP status of PE1 is Initialize and the VRRP status of PE2 is Master.

[*PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Initialize
Virtual IP     : 10.1.1.111
Master IP      : 0.0.0.0
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 0
Preempt        : YES   Delay Time : 20s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:03:03

[*PE2] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.2
Local IP       : 10.1.1.2
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 100
Preempt        : YES   Delay Time : 0s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 10:53:09

Run the undo shutdown command on GE 0/1/1.1 on PE1. After GE 0/1/1.1 goes Up, run the display vrrp command on PE1 to view the VRRP status. The command output shows that the VRRP status of PE1 is Backup.

If no preemption delay is configured in VRRP group 1, the VRRP status of PE1 is Master immediately.
If the preemption delay is configured in VRRP group 1, the VRRP status of PE1 is Master after 20 seconds.

[*PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Backup
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.2
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 100
Preempt        : YES   Delay Time : 20s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:54:35

After 20 seconds, run the display vrrp command on PE1 to view the VRRP status. The command output shows that the VRRP status of PE1 is Master.

[*PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.2
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier: 4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:54:50

Configure OSPF on the PEs.

Configure IP addresses of interfaces and OSPF on the PEs, as shown in Figure 1-739.

# Configure PE1.

[*PE1] interface gigabitethernet0/1/2

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] ip address 192.168.2.1 24

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

[*PE2] interface gigabitethernet0/1/2

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface gigabitethernet0/1/1

[*PE3-GigabitEthernet0/1/1] undo shutdown

[*PE3-GigabitEthernet0/1/1] ip address 192.168.2.2 24

[*PE3-GigabitEthernet0/1/1] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] undo shutdown

[*PE3-GigabitEthernet0/1/2] ip address 192.168.1.2 24

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 can ping each other.

Use the command output on PE1 as an example.

[~PE1] ping 192.168.1.1

  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=140 ms
    Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=23 ms
    Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=56 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=14 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms

  --- 192.168.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/47/140 ms

Verify the configuration.

Run the display ip routing-table command on PE1 and PE2. Verify that the following conditions are true:

a. The command output shows that there is a direct route in the routing table of PE1.

b. The destination address of the direct route is a virtual IP address.

c. The route to the same destination address on PE2 is an OSPF route.

[*PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 16       Routes : 16

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

       10.1.1.0/24  Direct 0    0             D  10.1.1.1        GigabitEthernet0/1/1.1
       10.1.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.111/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
    192.168.1.0/24  OSPF   10   2             D  10.1.1.2        GigabitEthernet0/1/1.1
                    OSPF   10   2             D  192.168.2.2     GigabitEthernet0/1/2
    192.168.2.0/24  Direct 0    0             D  192.168.2.1     GigabitEthernet0/1/2
    192.168.2.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.2.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[~PE2] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 16       Routes : 16

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

       10.1.1.0/24  Direct 0    0             D  10.1.1.2        GigabitEthernet0/1/1.1
       10.1.1.2/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.111/32  OSPF   10   2             D  10.1.1.1        GigabitEthernet0/1/1.1
     10.1.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  10.1.1.1        GigabitEthernet0/1/1.1
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 interface gigabitethernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip address 10.1.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q vrrp vid 10
 arp broadcast enable
 vrrp vrid 1 virtual-ip 10.1.1.111
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 20
 vrrp recover-delay 20
#
interface gigabitethernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

PE2 configuration file

#
 sysname PE2
#
interface GigabitEthernet0/1/1
 undo shutdown
 #
interface GigabitEthernet0/1/1.1
 ip address 10.1.1.2 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q vrrp vid 10
 arp broadcast enable
 vrrp vrid 1 virtual-ip 10.1.1.111
#
interface gigabitethernet0/1/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 192.168.1.0 0.0.0.255
#
return

PE3 configuration file

#
 sysname PE3
#
interface gigabitethernet0/1/1
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
#
interface gigabitethernet0/1/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

Configuration file of the CE

#
 sysname CE
#
 vlan batch 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Support VRRP

This section describes how to ensure reliable and stable connections between users that send double-tagged packets and the network after you have configured a QinQ VLAN tag termination sub-interface to support VRRP (Virtual Router Redundancy Protocol).

Networking Requirements

To use VLAN tag termination sub-interfaces to access a network with a VRRP group, enable VRRP on the sub-interfaces. VRRP can ensure reliable and stable communication between users on the network.

On the network shown in Figure 1-740, packets sent by the CEs to the PEs carry two VLAN tags, and the CEs are connected to the network with VRRP groups using QinQ VLAN tag termination sub-interfaces. To ensure that a master/backup VRRP switchover is performed immediately after a fault occurs on the network and that the communication is reliable and stable, configure QinQ VLAN tag termination sub-interfaces to support VRRP.

Figure 1-740 Typical networking for configuring the QinQ VLAN tag termination sub-interface to support VRRP

Interfaces 1 through 4, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/4, GE 0/1/1.1, and GE 0/1/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Create VLANs on CE2 and CE3 and determine the VLANs to which users belong.
Enable QinQ on CE1 so that packets sent by CE1 to PE1 and PE2 carry two VLAN tags.
Configure two VRRP groups on both PE1 and PE2 to implement link backup and load balancing.
Configure QinQ VLAN tag termination sub-interfaces on PE1 and PE2 to support VRRP to ensure stable network communication.
Configure a routing protocol on PE1, PE2, and PE3 to ensure that users can access the carrier network on the Layer 3 network.

Open Shortest Path First (OSPF) is used in this example.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
VLAN IDs in the outer VLAN tags of packets sent by CE1 to PE1 and PE2.
Names and IP addresses of the interfaces that connect PE1 and PE2 to CE1.
Names and IP addresses of the interfaces that connect PE1 and PE2
IDs and virtual IP addresses of VRRP groups and priorities of PE1 and PE2 in the VRRP groups

Procedure

Create VLANs on CE2 and CE3 and associate Layer 2 interfaces with the VLANs.

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] portswitch

[*CE2-GigabitEthernet0/1/1] port link-type access

[*CE2-GigabitEthernet0/1/1] port default vlan 10

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] interface gigabitethernet 0/1/2

[*CE2-GigabitEthernet0/1/2] undo shutdown

[*CE2-GigabitEthernet0/1/2] portswitch

[*CE2-GigabitEthernet0/1/2] port link-type trunk

[*CE2-GigabitEthernet0/1/2] port trunk allow-pass vlan 10

[*CE2-GigabitEthernet0/1/2] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 20

[*CE3-vlan20] quit

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] portswitch

[*CE3-GigabitEthernet0/1/1] port link-type access

[*CE3-GigabitEthernet0/1/1] port default vlan 20

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/2

[*CE3-GigabitEthernet0/1/2] undo shutdown

[*CE3-GigabitEthernet0/1/2] portswitch

[*CE3-GigabitEthernet0/1/2] port link-type trunk

[*CE3-GigabitEthernet0/1/2] port trunk allow-pass vlan 20

[*CE3-GigabitEthernet0/1/2] quit

[*CE3] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Enable QinQ on CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 100

[*CE1-vlan100] quit

[*CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] portswitch

[*CE1-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/2

[*CE1-GigabitEthernet0/1/2] undo shutdown

[*CE1-GigabitEthernet0/1/2] portswitch

[*CE1-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*CE1-GigabitEthernet0/1/2] quit

[*CE1] interface gigabitethernet 0/1/3

[*CE1-GigabitEthernet0/1/3] undo shutdown

[*CE1-GigabitEthernet0/1/3] portswitch

[*CE1-GigabitEthernet0/1/3] port link-type trunk

[*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*CE1-GigabitEthernet0/1/3] quit

[*CE1] interface gigabitethernet 0/1/4

[*CE1-GigabitEthernet0/1/4] undo shutdown

[*CE1-GigabitEthernet0/1/4] portswitch

[*CE1-GigabitEthernet0/1/4] port link-type trunk

[*CE1-GigabitEthernet0/1/4] port trunk allow-pass vlan 100

[*CE1-GigabitEthernet0/1/4] quit

[*CE1] commit

Configure VRRP groups.

# Create VRRP group 1 and VRRP group 2 on PE1, set the VRRP priority to 120 for PE1 in VRRP group 1 so that PE1 is the Master in VRRP group 1 and the Backup in VRRP group 2.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 virtual-ip 10.1.1.111

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 priority 120

[*PE1-GigabitEthernet0/1/1.1] vrrp vrid 1 preempt-mode timer delay 20
[*PE1-GigabitEthernet0/1/1.1] vrrp recover-delay 20

[*PE1-GigabitEthernet0/1/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] interface gigabitethernet 0/1/1.2

[*PE1-GigabitEthernet0/1/1.2] vrrp vrid 2 virtual-ip 10.10.1.111

[*PE1-GigabitEthernet0/1/1.2] ip address 10.10.1.1 24

[*PE1-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.2] quit

[*PE1] commit

# Create VRRP group 1 and VRRP group 2 on PE2, set the VRRP priority to 120 for PE2 in VRRP group 2 so that PE2 is the Master in VRRP group 2 and the Backup in VRRP group 1.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] vrrp vrid 1 virtual-ip 10.1.1.111

[*PE2-GigabitEthernet0/1/1.1] ip address 10.1.1.2 24

[*PE2-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] interface gigabitethernet 0/1/1.2

[*PE2-GigabitEthernet0/1/1.2] vrrp vrid 2 virtual-ip 10.10.1.111

[*PE2-GigabitEthernet0/1/1.2] vrrp vrid 2 priority 120

[*PE2-GigabitEthernet0/1/1.2] vrrp vrid 2 preempt-mode timer delay 20
[*PE2-GigabitEthernet0/1/1.2] vrrp recover-delay 20

[*PE2-GigabitEthernet0/1/1.2] ip address 10.10.1.2 24

[*PE2-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.2] quit

[*PE2] commit

Configure QinQ VLAN tag termination sub-interfaces to support VRRP.

# Configure PE1.

[~PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/1.1] qinq vrrp pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1-GigabitEthernet0/1/1.2] control-vid 2 qinq-termination

[*PE1-GigabitEthernet0/1/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/1.2] qinq vrrp pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.2] quit

[*PE1] commit

# Configure PE2.

[~PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE2-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/1/1.1] qinq vrrp pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2-GigabitEthernet0/1/1.2] control-vid 2 qinq-termination

[*PE2-GigabitEthernet0/1/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/1/1.2] qinq vrrp pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.2] quit

[*PE2] commit

After the configurations are complete, run the display vrrp command on PE1. The command output shows that PE1 is Master in VRRP group 1 and Backup in VRRP group 2. Run the display vrrp command on PE2. The command output shows that PE2 is Master in VRRP group 2 and Backup in VRRP group 1.

[~PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:54:17

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Backup
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.2
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:56:33

[~PE2] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Backup
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.2
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 09:56:11

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Master
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.2
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 09:56:33

Run the shutdown command on GE 0/1/1.1 of PE1 to simulate a situation in which PE1 is faulty.

Run the display vrrp command on PE1 and PE2 to view the VRRP status. The command outputs show that the VRRP status of PE1 is Initialize and the VRRP status of PE2 is Master.

[~PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Initialize
Virtual IP     : 10.1.1.111
Master IP      : 0.0.0.0
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 0
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:03:03

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Backup
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.1
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:56:33

[*PE2] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.2
Local IP       : 10.1.1.2
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 100
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 10:53:09

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Master
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.2
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:00
Last Change Time  : 2012-07-18 09:56:33

If no preemption delay is configured in VRRP group 1, the VRRP status of PE1 is Master immediately.
If the preemption delay is configured in VRRP group 1, the VRRP status of PE1 is Master after 20 seconds.

[~PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Backup
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.2
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 100
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:54:35

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Backup
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.1
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:56:33

After 20 seconds, run the display vrrp command on PE1 to view the VRRP status. The command output shows that the VRRP status of PE1 is Master.

[*PE1] display vrrp

GigabitEthernet0/1/1.1 | Virtual Router 1
State          : Master
Virtual IP     : 10.1.1.111
Master IP      : 10.1.1.1
Local IP       : 10.1.1.1
PriorityRun    : 120
PriorityConfig : 120
MasterPriority : 120
Preempt        : YES   Delay Time : 20s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3456
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 10:54:50

GigabitEthernet0/1/1.2 | Virtual Router 2
State          : Backup
Virtual IP     : 10.10.1.111
Master IP      : 10.10.1.2
Local IP       : 10.10.1.1
PriorityRun    : 100
PriorityConfig : 100
MasterPriority : 120
Preempt        : YES   Delay Time : 0s
Hold Multiplier:4
TimerRun       : 1s
TimerConfig    : 1s
Auth Type      : NONE
Virtual MAC    : 00e0-fc12-3457
Check TTL      : YES
Config Type    : normal-vrrp
Create Time       : 2012-07-18 09:53:03
Last Change Time  : 2012-07-18 09:56:33

Configure OSPF on the PEs.

Configure IP addresses of interfaces and OSPF on the PEs, as shown in Figure 1-740.

# Configure PE1.

[*PE1] interface gigabitethernet0/1/2

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] ip address 192.168.2.1 24

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 10.10.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

[~PE2] interface gigabitethernet0/1/2

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 10.10.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface gigabitethernet0/1/1

[*PE3-GigabitEthernet0/1/1] undo shutdown

[*PE3-GigabitEthernet0/1/1] ip address 192.168.2.2 24

[*PE3-GigabitEthernet0/1/1] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] undo shutdown

[*PE3-GigabitEthernet0/1/2] ip address 192.168.1.2 24

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 can ping each other.

Use the command output on PE1 as an example.

[~PE1] ping 192.168.1.1

  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=140 ms
    Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=23 ms
    Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=56 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=14 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=4 ms

  --- 192.168.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/47/140 ms

Verify the configuration.

Run the display ip routing-table command on PE1 and PE2. Verify that the following conditions are true:

a. The command outputs show that there is a direct route in the routing table of PE1.

b. The destination address of the direct route is a virtual IP address.

c. The route to the same destination address on PE2 is an OSPF route.

[*PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 16       Routes : 16

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

       10.1.1.0/24  Direct 0    0             D  10.1.1.1        GigabitEthernet0/1/1.1
       10.1.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.111/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
    192.168.1.0/24  OSPF   10   2             D  10.10.1.2       GigabitEthernet0/1/1.2
                    OSPF   10   2             D  10.1.1.2        GigabitEthernet0/1/1.1
                    OSPF   10   2             D  192.168.2.2     GigabitEthernet0/1/2
    192.168.2.0/24  Direct 0    0             D  192.168.2.1     GigabitEthernet0/1/2
    192.168.2.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.2.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
      10.10.1.0/24  Direct 0    0             D  10.10.1.1       GigabitEthernet0/1/1.2
      10.10.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.2
    10.10.1.111/32  OSPF   10   2             D  10.10.1.2       GigabitEthernet0/1/1.2
                    OSPF   10   2             D  10.1.1.2        GigabitEthernet0/1/1.1
    10.10.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.2
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[~PE2] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 16       Routes : 16

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

       10.1.1.0/24  Direct 0    0             D  10.1.1.2        GigabitEthernet0/1/1.1
       10.1.1.2/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
     10.1.1.111/32  OSPF   10   2             D  10.10.1.1       GigabitEthernet0/1/1.2
                    OSPF   10   2             D  10.1.1.1        GigabitEthernet0/1/1.1
     10.1.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.1
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  10.10.1.1       GigabitEthernet0/1/1.2
                    OSPF   10   2             D  10.1.1.1        GigabitEthernet0/1/1.1
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
      10.10.1.0/24  Direct 0    0             D  10.10.1.2       GigabitEthernet0/1/1.2
      10.10.1.2/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.2
    10.10.1.111/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.2
    10.10.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/1.2
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

Configuration Files

Configuration file of PE1

#
 sysname PE1
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip address 10.1.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 qinq vrrp pe-vid 100 ce-vid 10
 arp broadcast enable
 vrrp vrid 1 virtual-ip 10.1.1.111
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 20
 vrrp recover-delay 20
#
interface GigabitEthernet0/1/1.2
 ip address 10.10.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 qinq vrrp pe-vid 100 ce-vid 20
 arp broadcast enable
 vrrp vrid 2 virtual-ip 10.10.1.111 
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
  network 10.10.1.0 0.0.0.255
#
return

Configuration file of PE2

#
 sysname PE2
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip address 10.1.1.2 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 qinq vrrp pe-vid 100 ce-vid 10
 arp broadcast enable
 vrrp vrid 1 virtual-ip 10.1.1.111
#
interface GigabitEthernet0/1/1.2
 ip address 10.10.1.2 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 qinq vrrp pe-vid 100 ce-vid 20
 arp broadcast enable
 vrrp vrid 2 virtual-ip 10.10.1.111
 vrrp vrid 2 priority 120
 vrrp vrid 2 preempt-mode timer delay 20
 vrrp recover-delay 20
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 192.168.1.0 0.0.0.255
  network 10.10.1.0 0.0.0.255
#
return

Configuration file of PE3

#
 sysname PE3
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

Configuration file of CE1

#
 sysname CE1
#
 vlan batch 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/4
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

Configuration file of CE2

#
 sysname CE2
#
 vlan batch 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Configuration file of CE3

#
 sysname CE3
#
 vlan batch 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 20
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface to Access an L3VPN

This section describes how to configure a dot1q VLAN tag termination sub-interface to provide Layer 3 virtual private network (L3VPN) access and how to ensure that users communicate over the L3VPN using single-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

On the network shown in Figure 1-741, the CEs connect to the PEs through the routers, and the routers access the L3VPN through dot1q VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry one VLAN tag. To ensure that user networks on which CE1 and CE2 reside can communicate and that user networks on which CE3 and CE4 reside can communicate, configure dot1q VLAN tag termination sub-interfaces on PE1 and PE2 and bind these sub-interfaces to virtual private network (VPN) instances to provide L3VPN access.

Figure 1-741 Typical networking for configuring the dot1q VLAN tag termination sub-interface to provide L3VPN access

Interfaces 1 through 3, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/1.1, and GE 0/1/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses of interfaces on the CEs. (Packets sent by the CEs to the routers do not carry any VLAN tag.)
Create VLANs on Device A and Device B and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on Device A and Device B so that packets sent by Device A to PE1 and packets sent by Device B to PE2 carry one VLAN tag.
Configure L3VPN services on PE1, the P, and PE2, configure dot1q VLAN tag termination sub-interfaces on PE1 and PE2, and bind these sub-interfaces to VPN instances so that users can communicate over the L3VPN.
1. Configure a routing protocol on PE1, the P, and PE2 to ensure Layer 3 connectivity.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on PE1, the P, and PE2 and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Configure VPN instances and dot1q VLAN tag termination sub-interfaces on PE1 and PE2, bind these sub-interfaces to the VPN instances to provide L3VPN access.
4. Establish a Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationship between the PEs so that users in the same VPN instance can communicate.
5. Establish External BGP (EBGP) peer relationships between the PEs and CEs to exchange VPN routes so that the CEs can communicate.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers to the CEs
Names and IP addresses of the interfaces that connect the PEs to the CEs
Names and IP addresses of the interfaces that connect PE1 and PE2
MPLS LSR IDs of the PEs and P, names of VPN instances on the PEs, and VPN targets of VPN routes

Procedure

Configure IP addresses of interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] ip address 10.1.1.2 24

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] ip address 10.2.1.2 24

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] ip address 10.3.1.2 24

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/1/1

[*CE4-GigabitEthernet0/1/1] undo shutdown

[*CE4-GigabitEthernet0/1/1] ip address 10.4.1.2 24

[*CE4-GigabitEthernet0/1/1] quit

[*CE4] commit

Create VLANs on the routers and associate Layer 2 interfaces with the VLANs.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port link-type access

[*DeviceA-GigabitEthernet0/1/1] port default vlan 10

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port link-type access

[*DeviceA-GigabitEthernet0/1/2] port default vlan 20

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port link-type access

[*DeviceB-GigabitEthernet0/1/1] port default vlan 10

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/2

[*DeviceB-GigabitEthernet0/1/2] undo shutdown

[*DeviceB-GigabitEthernet0/1/2] portswitch

[*DeviceB-GigabitEthernet0/1/2] port link-type access

[*DeviceB-GigabitEthernet0/1/2] port default vlan 20

[*DeviceB-GigabitEthernet0/1/2] quit

[*DeviceB] commit

Configure Layer 2 forwarding on the routers.

# Configure Device A.

[~DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

# Configure Device B.

[~DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type trunk

[*DeviceB-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure an L3VPN.

Configure OSPF on PE1, the P, and PE2.

Assign an IP address to each interface on the PEs and P. Make sure that the 32-bit loopback addresses of PE1, the P, and PE2 are advertised after OSPF is enabled.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure the P.

<HUAWEI> system-view

[~HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface LoopBack 1

[*P-LoopBack1] ip address 2.2.2.9 32

[*P-LoopBack1] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] ip address 192.168.1.2 24

[*P-GigabitEthernet0/1/1] undo shutdown

[*P-GigabitEthernet0/1/1] quit

[*P] interface gigabitethernet 0/1/2

[*P-GigabitEthernet0/1/2] ip address 192.168.2.1 24

[*P-GigabitEthernet0/1/2] undo shutdown

[*P-GigabitEthernet0/1/2] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] quit

[*P] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 1

[*PE2-LoopBack1] ip address 3.3.3.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

After the configurations are complete, PE1 and PE2 have OSPF routes to the loopback interface of each other. PE1 and PE2 can ping each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 11       Routes : 11

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/1/2
        3.3.3.9/32  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=2 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/5 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] mpls

[*PE1-GigabitEthernet0/1/2] mpls ldp

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] commit

# Configure the P.

[~P] mpls lsr-id 2.2.2.9

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet0/1/1

[*P-GigabitEthernet0/1/1] mpls

[*P-GigabitEthernet0/1/1] mpls ldp

[*P-GigabitEthernet0/1/1] quit

[*P] interface gigabitethernet0/1/2

[*P-GigabitEthernet0/1/2] mpls

[*P-GigabitEthernet0/1/2] mpls ldp

[*P-GigabitEthernet0/1/2] quit

[*P] commit

# Configure PE2.

[~PE2] mpls lsr-id 3.3.3.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] commit

After the configurations are complete, LDP sessions are set up between PE1 and the P and between PE2 and the P. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

The following uses the command output on PE1. The status is Operational.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
-------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0         Operational  DU   Passive  0000:00:00   5/5
 3.3.3.9:0         Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

Configure VPN instances and bind the dot1q VLAN tag termination sub-interfaces to these VPN instances.

# Configure PE1.

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1-vpn-instance-vpn1] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE1-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/1/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 200:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] quit

[*PE1-vpn-instance-vpn2] quit

[*PE1] interface gigabitethernet 0/1/1.2

[*PE1-GigabitEthernet0/1/1.2] control-vid 2 dot1q-termination

[*PE1-GigabitEthernet0/1/1.2] dot1q termination vid 20

[*PE1-GigabitEthernet0/1/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/1/1.2] ip address 10.3.1.1 24

[*PE1-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.2] quit

[*PE1] commit

# Configure PE2.

[~PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] quit

[*PE2-vpn-instance-vpn1] quit

[*PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE2-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE2-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/1/1.1] ip address 10.2.1.1 24

[*PE2-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] ip vpn-instance vpn2

[*PE2-vpn-instance-vpn2] route-distinguisher 200:2

[*PE2-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE2-vpn-instance-vpn2-af-ipv4] quit

[*PE2-vpn-instance-vpn2] quit

[*PE2] interface gigabitethernet 0/1/1.2

[*PE2-GigabitEthernet0/1/1.2] control-vid 2 dot1q-termination

[*PE2-GigabitEthernet0/1/1.2] dot1q termination vid 20

[*PE2-GigabitEthernet0/1/1.2] ip binding vpn-instance vpn2

[*PE2-GigabitEthernet0/1/1.2] ip address 10.4.1.1 24

[*PE2-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.2] quit

[*PE2] commit

The vid values of sub-interfaces on a main interface must be different.

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

Use the command output on PE1 as an example.

[~PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0
 VPN-Instance Name and ID : vpn1, 1
  Interfaces : GigabitEthernet0/1/1.1
 Address family ipv4
  Create date : 2012-07-18 14:34:48
  Up time : 0 days, 00 hours, 07 minutes and 54 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets : 100:1
  Import VPN Targets : 100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

 VPN-Instance Name and ID : vpn2, 2
  Interfaces : GigabitEthernet0/1/1.2
 Address family ipv4
  Create date : 2012-07-18 14:38:44
  Up time : 0 days, 00 hours, 03 minutes and 58 seconds
  Vrf Status : UP
  Route Distinguisher : 200:2
  Export VPN Targets : 200:2
  Import VPN Targets : 200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

Set up an MP-IBGP peer relationship between the PEs.

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] peer 3.3.3.9 as-number 100

[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1

[*PE1-bgp] ipv4-family vpnv4

[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[*PE1-bgp-af-vpnv4] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] peer 1.1.1.9 as-number 100

[*PE2-bgp] peer 1.1.1.9 connect-interface loopback 1

[*PE2-bgp] ipv4-family vpnv4

[*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[*PE2-bgp-af-vpnv4] quit

[*PE2-bgp] quit

[*PE2] commit

After the configurations are complete, run the display bgp peer command on the PEs. The command outputs show that a BGP peer relationship is established between the PEs and is in the Established state.

[~PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State   PrefRcv
  3.3.3.9         4         100        4        4     0 00:00:33 Established    0

Set up EBGP peer relationships between the PEs and CEs and import VPN routes.

# Configure CE1.

[~CE1] bgp 65410

[*CE1-bgp] peer 10.1.1.1 as-number 100

[*CE1-bgp] import-route direct

[*CE1-bgp] quit

[*CE1] commit

# Configure CE2.

[~CE2] bgp 65420

[*CE2-bgp] peer 10.2.1.1 as-number 100

[*CE2-bgp] import-route direct

[*CE2-bgp] quit

[*CE2] commit

# Configure CE3.

[~CE3] bgp 65411

[*CE3-bgp] peer 10.3.1.1 as-number 100

[*CE3-bgp] import-route direct

[*CE3-bgp] quit

[*CE3] commit

# Configure CE4.

[~CE4] bgp 65421

[*CE4-bgp] peer 10.4.1.1 as-number 100

[*CE4-bgp] import-route direct

[*CE4-bgp] quit

[*CE4] commit

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] ipv4-family vpn-instance vpn1

[*PE1-bgp-vpn1] peer 10.1.1.2 as-number 65410

[*PE1-bgp-vpn1] import-route direct

[*PE1-bgp-vpn1] quit

[*PE1-bgp] ipv4-family vpn-instance vpn2

[*PE1-bgp-vpn2] peer 10.3.1.2 as-number 65411

[*PE1-bgp-vpn2] import-route direct

[*PE1-bgp-vpn2] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] ipv4-family vpn-instance vpn1

[*PE2-bgp-vpn1] peer 10.2.1.2 as-number 65420

[*PE2-bgp-vpn1] import-route direct

[*PE2-bgp-vpn1] quit

[*PE2-bgp] ipv4-family vpn-instance vpn2

[*PE2-bgp-vpn2] peer 10.4.1.2 as-number 65421

[*PE2-bgp-vpn2] import-route direct

[*PE2-bgp-vpn2] quit

[*PE2-bgp] quit

[*PE2] commit

After the configurations are complete, run the display bgp vpnv4 vpn-instance peer command on the PEs. The command outputs show that BGP peer relationships have been established between the PEs and CEs and are in the Established state.

Use the BGP peer relationship between PE1 and CE1 as an example.

[~PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9
Local AS number : 100

 VPN-Instance vpn1, router ID 1.1.1.9:
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS    MsgRcvd  MsgSent  OutQ  Up/Down     State         PrefRcv
  10.1.1.2        4         65410     6        7       0 00:02:58      Established    1

After the configurations are complete, the PEs can ping the CEs connected to them.

If multiple interfaces on a PE are bound to the same VPN instance, specify the source IP address using -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command when you run the ping -vpn-instance command to ping the CE connected to the PE. If you do not specify the source IP address, the ping operation fails.

Use the command output on PE1 as an example.

[*PE1] ping -vpn-instance vpn1 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=60 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/54/60 ms

Verify the configuration.

Run the display dot1q information termination command to view information about dot1q VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the L3VPN.

Use the command output on PE1 as an example.

[*PE1] display dot1q information termination interface gigabitethernet 0/1/1

  GigabitEthernet0/1/1.1
    L3VPN bound
    Total QinQ Num: 1
      dot1q  termination vid 10
    Total vlan-group Num: 0
    encapsulation dot1q-termination
  GigabitEthernet0/1/1.2
    L3VPN bound
    Total QinQ Num: 1
      dot1q  termination vid 20
    Total vlan-group Num: 0
    encapsulation dot1q-termination

Hosts attached to CE1 and CE2 can ping each other. Hosts attached to CE3 and CE4 can also ping each other. CE1 and CE2 cannot communicate with CE3 and CE4 because they belong to different VPN instances.

On the PEs, you can view the corresponding ARP entries. Use PE1 as an example.

[*PE1] display arp slot 1

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  VLAN/CEVLAN PVC
------------------------------------------------------------------------------------------------------
192.168.1.1     00e0-fc12-3458            I -         GE0/1/2
192.168.1.2     00e0-fc12-3457  20        D-9         GE0/1/2
10.1.1.1       00e0-fc12-3459            I -         GE0/1/1.1       vpn1
10.1.1.2        00e0-fc12-3456  20        D-9         GE0/1/1.1       vpn1            10/-
10.3.1.1       00e0-fc12-3459            I -         GE0/1/1.2       vpn2
10.3.1.2        00e0-fc12-3456  20        D-9         GE0/1/1.2       vpn2            20/-
-----------------------------------------------------------------------------------------------------
Total:6         Dynamic:3       Static:0    Interface:3

Configuration Files

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
bgp 65410
 peer 10.1.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization  
  import-route direct
  peer 10.1.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
bgp 65420
 peer 10.2.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
   peer 10.2.1.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.3.1.2 255.255.255.0
#
bgp 65411
 peer 10.3.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.1 enable
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.4.1.2 255.255.255.0
#
bgp 65421
 peer 10.4.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.4.1.1 enable
#
return

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 arp broadcast enable
#
interface GigabitEthernet0/1/1.2
 ip binding vpn-instance vpn2
 ip address 10.3.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 20
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.1.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.3.1.2 as-number 65411
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

P configuration file

#
 sysname P
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn1
 ip address 10.2.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 arp broadcast enable
#
interface GigabitEthernet0/1/1.2
 ip binding vpn-instance vpn2
 ip address 10.4.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 20
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.2.1.2 as-number 65420
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.4.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.2.0 0.0.0.255
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Access an L3VPN

This section describes how to configure a QinQ VLAN tag termination sub-interface to provide Layer 3 virtual private network (L3VPN) access and how to ensure that users communicate over the L3VPN using double-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

On the network shown in Figure 1-742, the CEs connect to the PEs through the routers, and the routers access the L3VPN through QinQ VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry two VLAN tags. To ensure that user networks on which CE1 and CE2 reside can communicate and that user networks on which CE3 and CE4 reside can communicate, configure QinQ VLAN tag termination sub-interfaces on PE1 and PE2 and bind these sub-interfaces to virtual private network (VPN) instances to provide L3VPN access.

Figure 1-742 Typical networking for configuring the QinQ VLAN tag termination sub-interface to provide L3VPN access

Interfaces 1 through 3, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, GE 0/1/1.1, and GE 0/1/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Layer 2 forwarding function on the CEs so that the packets sent by the CEs to the routers carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on Device A and Device B so that packets sent by Device A to PE1 and packets sent by Device B to PE2 carry two VLAN tags.
Configure L3VPN services on PE1, the P, and PE2, configure QinQ VLAN tag termination sub-interfaces on PE1 and PE2, and bind these sub-interfaces to VPN instances so that users can communicate over the L3VPN.
1. Configure a routing protocol on PE1, the P, and PE2 to ensure Layer 3 connectivity.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on PE1, the P, and PE2 and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Configure VPN instances and QinQ VLAN tag termination sub-interfaces on PE1 and PE2, bind these sub-interfaces to the VPN instances to provide L3VPN access.
4. Establish a Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationship between the PEs so that users in the same VPN instance can communicate.
5. Establish External BGP (EBGP) peer relationships between the PEs and CEs to exchange VPN routes so that the CEs can communicate.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers to the CEs
VLAN IDs in the outer VLAN tags of packets sent by Device A to PE1 and packets sent by Device B to PE2
Names and IP addresses of the interfaces that connect the PEs and the routers
Names and IP addresses of the interfaces that connect PE1 and PE2
MPLS LSR IDs of the PEs and P, names of VPN instances on the PEs, and VPN targets of VPN routes

Procedure

Configure Layer 2 forwarding on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 10

[*CE1-vlan10] quit

[*CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/1.1

[*CE1-GigabitEthernet0/1/1.1] ip address 10.1.1.2 24

[*CE1-GigabitEthernet0/1/1.1] vlan-type dot1q 10

[*CE1-GigabitEthernet0/1/1.1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] interface gigabitethernet 0/1/1.1

[*CE2-GigabitEthernet0/1/1.1] ip address 10.2.1.2 24

[*CE2-GigabitEthernet0/1/1.1] vlan-type dot1q 10

[*CE2-GigabitEthernet0/1/1.1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 20

[*CE3-vlan20] quit

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/1.1

[*CE3-GigabitEthernet0/1/1.1] ip address 10.3.1.2 24

[*CE3-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*CE3-GigabitEthernet0/1/1.1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] vlan 20

[*CE4-vlan20] quit

[*CE4] interface gigabitethernet 0/1/1

[*CE4-GigabitEthernet0/1/1] undo shutdown

[*CE4-GigabitEthernet0/1/1] quit

[*CE4] interface gigabitethernet 0/1/1.1

[*CE4-GigabitEthernet0/1/1.1] ip address 10.4.1.2 24

[*CE4-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*CE4-GigabitEthernet0/1/1.1] quit

[*CE4] commit

Configure the QinQ and Layer 2 forwarding functions on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan 100

[*DeviceA-vlan100] quit

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan 100

[*DeviceB-vlan100] quit

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/2

[*DeviceB-GigabitEthernet0/1/2] undo shutdown

[*DeviceB-GigabitEthernet0/1/2] portswitch

[*DeviceB-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceB-GigabitEthernet0/1/2] quit

[*DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type trunk

[*DeviceB-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] commit

Configure an L3VPN.

Configure OSPF on PE1, the P, and PE2.

Assign an IP address to each interface on the PEs and P. Make sure that the 32-bit loopback addresses of PE1, the P, and PE2 are advertised after OSPF is enabled.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure the P.

<HUAWEI> system-view

[~HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface LoopBack 1

[*P-LoopBack1] ip address 2.2.2.9 32

[*P-LoopBack1] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] ip address 192.168.1.2 24

[*P-GigabitEthernet0/1/1] undo shutdown

[*P-GigabitEthernet0/1/1] quit

[*P] interface gigabitethernet 0/1/2

[*P-GigabitEthernet0/1/2] ip address 192.168.2.1 24

[*P-GigabitEthernet0/1/2] undo shutdown

[*P-GigabitEthernet0/1/2] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] quit

[*P] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 1

[*PE2-LoopBack1] ip address 3.3.3.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

After the configurations are complete, PE1 and PE2 have OSPF routes to the loopback interface of each other. PE1 and PE2 can ping each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 11       Routes : 11

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/1/2
        3.3.3.9/32  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=2 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/5 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] mpls

[*PE1-GigabitEthernet0/1/2] mpls ldp

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] commit

# Configure the P.

[~P] mpls lsr-id 2.2.2.9

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet0/1/1

[*P-GigabitEthernet0/1/1] mpls

[*P-GigabitEthernet0/1/1] mpls ldp

[*P-GigabitEthernet0/1/1] quit

[*P] interface gigabitethernet0/1/2

[*P-GigabitEthernet0/1/2] mpls

[*P-GigabitEthernet0/1/2] mpls ldp

[*P-GigabitEthernet0/1/2] quit

[*P] commit

# Configure PE2.

[~PE2] mpls lsr-id 3.3.3.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] commit

The following uses the command output on PE1. The status is Operational.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
-------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0         Operational  DU   Passive  0000:00:00   5/5
 3.3.3.9:0         Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

Configure VPN instances and bind the VPN instances to the QinQ VLAN tag termination sub-interface.

# Configure PE1.

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1-vpn-instance-vpn1] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/1/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 200:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] quit

[*PE1-vpn-instance-vpn2] quit

[*PE1] interface gigabitethernet 0/1/1.2

[*PE1-GigabitEthernet0/1/1.2] control-vid 2 qinq-termination

[*PE1-GigabitEthernet0/1/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/1/1.2] ip address 10.3.1.1 24

[*PE1-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/1/1.2] quit

[*PE1] commit

# Configure PE2.

[~PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] quit

[*PE2-vpn-instance-vpn1] quit

[*PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE2-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/1/1.1] ip address 10.2.1.1 24

[*PE2-GigabitEthernet0/1/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] ip vpn-instance vpn2

[*PE2-vpn-instance-vpn2] route-distinguisher 200:2

[*PE2-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE2-vpn-instance-vpn2-af-ipv4] quit

[*PE2-vpn-instance-vpn2] quit

[*PE2] interface gigabitethernet 0/1/1.2

[*PE2-GigabitEthernet0/1/1.2] control-vid 2 qinq-termination

[*PE2-GigabitEthernet0/1/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/1/1.2] ip binding vpn-instance vpn2

[*PE2-GigabitEthernet0/1/1.2] ip address 10.4.1.1 24

[*PE2-GigabitEthernet0/1/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/1/1.2] quit

When you run the qinq termination command on an interface, if the pe-vid values of the two different sub-interfaces are the same, make sure that the ce-vid values are different.

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

Use the command output on PE1 as an example.

[~PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0

 VPN-Instance Name and ID : vpn1, 1
  Interfaces : GigabitEthernet0/1/1.1
 Address family ipv4
  Create date : 2012-07-18 14:34:48
  Up time : 0 days, 00 hours, 07 minutes and 54 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets : 100:1
  Import VPN Targets : 100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

 VPN-Instance Name and ID : vpn2, 2
  Interfaces : GigabitEthernet0/1/1.2
 Address family ipv4
  Create date : 2012-07-18 14:38:44
  Up time : 0 days, 00 hours, 03 minutes and 58 seconds
  Route Distinguisher : 200:2
  Export VPN Targets : 200:2
  Import VPN Targets : 200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

Set up an MP-IBGP peer relationship between the PEs.

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] peer 3.3.3.9 as-number 100

[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1

[*PE1-bgp] ipv4-family vpnv4

[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[*PE1-bgp-af-vpnv4] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] peer 1.1.1.9 as-number 100

[*PE2-bgp] peer 1.1.1.9 connect-interface loopback 1

[*PE2-bgp] ipv4-family vpnv4

[*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[*PE2-bgp-af-vpnv4] quit

[*PE2-bgp] quit

[*PE2] commit

[~PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State   PrefRcv
  3.3.3.9         4         100        4        4     0 00:00:33 Established    0

Set up EBGP peer relationships between the PEs and CEs and import VPN routes.

# Configure CE1.

[~CE1] bgp 65410

[*CE1-bgp] peer 10.1.1.1 as-number 100

[*CE1-bgp] import-route direct

[*CE1-bgp] quit

[*CE1] commit

# Configure CE2.

[~CE2] bgp 65420

[*CE2-bgp] peer 10.2.1.1 as-number 100

[*CE2-bgp] import-route direct

[*CE2-bgp] quit

[*CE2] commit

# Configure CE3.

[~CE3] bgp 65411

[*CE3-bgp] peer 10.3.1.1 as-number 100

[*CE3-bgp] import-route direct

[*CE3-bgp] quit

[*CE3] commit

# Configure CE4.

[~CE4] bgp 65421

[*CE4-bgp] peer 10.4.1.1 as-number 100

[*CE4-bgp] import-route direct

[*CE4-bgp] quit

[*CE4] commit

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] ipv4-family vpn-instance vpn1

[*PE1-bgp-vpn1] peer 10.1.1.2 as-number 65410

[*PE1-bgp-vpn1] import-route direct

[*PE1-bgp-vpn1] quit

[*PE1-bgp] ipv4-family vpn-instance vpn2

[*PE1-bgp-vpn2] peer 10.3.1.2 as-number 65411

[*PE1-bgp-vpn2] import-route direct

[*PE1-bgp-vpn2] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] ipv4-family vpn-instance vpn1

[*PE2-bgp-vpn1] peer 10.2.1.2 as-number 65420

[*PE2-bgp-vpn1] import-route direct

[*PE2-bgp-vpn1] quit

[*PE2-bgp] ipv4-family vpn-instance vpn2

[*PE2-bgp-vpn2] peer 10.4.1.2 as-number 65421

[*PE2-bgp-vpn2] import-route direct

[*PE2-bgp-vpn2] quit

[*PE2-bgp] quit

[*PE2] commit

Use the BGP peer relationship between PE1 and CE1 as an example.

[~PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9
Local AS number : 100

 VPN-Instance vpn1, router ID 1.1.1.9:
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS    MsgRcvd  MsgSent  OutQ  Up/Down     State         PrefRcv
  10.1.1.2        4         65410     6        7       0 00:02:58      Established    1

After the configurations are complete, the PEs can ping the CEs connected to them.

Use the command output on PE1 as an example.

[*PE1] ping -vpn-instance vpn1 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=60 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/54/60 ms

Verify the configuration.

Run the display qinq information termination command to view information about QinQ VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the L3VPN.

Use the command output on PE1 as an example.

[*PE1] display qinq information termination interface gigabitethernet 0/1/1

  GigabitEthernet0/1/1.1
    L3VPN bound
    Total QinQ Num: 1
      qinq termination pe-vid 100 ce-vid 10
    Total vlan-group Num: 0
    encapsulation qinq-termination
  GigabitEthernet0/1/1.2
    L3VPN bound
    Total QinQ Num: 1
      qinq termination pe-vid 100 ce-vid 20
    Total vlan-group Num: 0
    encapsulation qinq-termination

Verify that the following conditions are true:

a. Hosts attached to CE1 and CE2 can ping each other.

b. Hosts attached to CE3 and CE4 can ping each other.

c. CE1 and CE2 cannot communicate with CE3 and CE4.

On the PEs, you can view the corresponding ARP entries. Use PE1 as an example.

[*PE1] display arp slot 1

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  VLAN/CEVLAN PVC
------------------------------------------------------------------------------------------------------
192.168.1.1     00e0-fc12-3458            I -         GE0/1/2
192.168.1.2     00e0-fc12-3457  20        D-9         GE0/1/2
10.1.1.1        00e0-fc12-3459            I -         GE0/1/1.1       vpn1
10.1.1.2        00e0-fc12-3456  20        D-9         GE0/1/1.1       vpn1            100/10
10.3.1.1        00e0-fc12-3459            I -         GE0/1/1.2       vpn2
10.3.1.2        00e0-fc12-3456  20        D-9         GE0/1/1.2       vpn2            100/20
-----------------------------------------------------------------------------------------------------
Total:6         Dynamic:3       Static:0    Interface:3

Configuration Files

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 10
 ip address 10.1.1.2 255.255.255.0
#
bgp 65410
 peer 10.1.1.1 as-number 100
 #
 ipv4-family unicast
 undo synchronization 
 import-route direct
  peer 10.1.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 20
 ip address 10.3.1.2 255.255.255.0
#
bgp 65420
 peer 10.2.1.1 as-number 100
 #
 ipv4-family unicast
 undo synchronization 
 import-route direct
  peer 10.2.1.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 10
 ip address 10.2.1.2 255.255.255.0
#
bgp 65411
 peer 10.3.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.1 enable
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 20
 ip address 10.4.1.2 255.255.255.0
#
bgp 65421
 peer 10.4.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.4.1.1 enable
#
return

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 arp broadcast enable
#
interface GigabitEthernet0/1/1.2
 ip binding vpn-instance vpn2
 ip address 10.3.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.1.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.3.1.2 as-number 65411
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

P configuration file

#
 sysname P
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn1
 ip address 10.2.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 arp broadcast enable
#
interface GigabitEthernet0/1/1.2
 ip binding vpn-instance vpn2
 ip address 10.4.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.2.1.2 as-number 65420
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.4.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.2.0 0.0.0.255
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface to Access an L2VPN

This example shows how to configure the dot1q VLAN tag termination sub-interface to access a Layer 2 virtual private network (L2VPN). This configuration ensures that users communicate over the L2VPN using single-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication.

On the network shown in Figure 1-743, the CEs connect to the PEs through the routers, and the routers access the L3VPN through dot1q VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry one VLAN tag. The packets sent from the routers to the PEs carry one VLAN tag. Dot1q VLAN tag termination sub-interfaces need to be configured on PE1, PE2, and PE3 and bound to a VSI or an L2VC to access the L2VPN, implementing interworking between CEs 1 through 6.

Figure 1-743 Typical networking for configuring the dot1q VLAN tag termination sub-interface to access an L2VPN

Interfaces 1 through 3 and sub-interface 1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using dot1q VLAN tag termination sub-interfaces so that CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as dot1q VLAN tag termination sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses of interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs on the routers and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on the routers and CEs so that the packets sent from the routers to the PEs carry one VLAN tag.
Configure a VPLS network and dot1q VLAN tag termination sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and dot1q VLAN tag termination sub-interfaces on the PEs, and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers and the CEs
Names and IP addresses of the interfaces that connect the PEs and the routers
Names and IP addresses of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure IP addresses of interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/1/1

[*CE4-GigabitEthernet0/1/1] undo shutdown

[*CE4-GigabitEthernet0/1/1] ip address 10.1.1.4 24

[*CE4-GigabitEthernet0/1/1] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] interface gigabitethernet 0/1/1

[*CE5-GigabitEthernet0/1/1] undo shutdown

[*CE5-GigabitEthernet0/1/1] ip address 10.1.1.5 24

[*CE5-GigabitEthernet0/1/1] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] interface gigabitethernet 0/1/1

[*CE6-GigabitEthernet0/1/1] undo shutdown

[*CE6-GigabitEthernet0/1/1] ip address 10.1.1.6 24

[*CE6-GigabitEthernet0/1/1] quit

[*CE6] commit

Create VLANs on the routers and associate Layer 2 interfaces with the VLANs.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port link-type access

[*DeviceA-GigabitEthernet0/1/1] port default vlan 10

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port link-type access

[*DeviceA-GigabitEthernet0/1/2] port default vlan 20

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port link-type access

[*DeviceB-GigabitEthernet0/1/1] port default vlan 10

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/2

[*DeviceB-GigabitEthernet0/1/2] undo shutdown

[*DeviceB-GigabitEthernet0/1/2] portswitch

[*DeviceB-GigabitEthernet0/1/2] port link-type access

[*DeviceB-GigabitEthernet0/1/2] port default vlan 20

[*DeviceB-GigabitEthernet0/1/2] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan batch 10 20

[*DeviceC] interface gigabitethernet 0/1/1

[*DeviceC-GigabitEthernet0/1/1] undo shutdown

[*DeviceC-GigabitEthernet0/1/1] portswitch

[*DeviceC-GigabitEthernet0/1/1] port link-type access

[*DeviceC-GigabitEthernet0/1/1] port default vlan 10

[*DeviceC-GigabitEthernet0/1/1] quit

[*DeviceC] interface gigabitethernet 0/1/2

[*DeviceC-GigabitEthernet0/1/2] undo shutdown

[*DeviceC-GigabitEthernet0/1/2] portswitch

[*DeviceC-GigabitEthernet0/1/2] port link-type access

[*DeviceC-GigabitEthernet0/1/2] port default vlan 20

[*DeviceC-GigabitEthernet0/1/2] quit

[*DeviceC] commit

Configure the Layer 2 forwarding function.

# Configure Device A.

[~DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

# Configure Device B.

[~DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type trunk

[*DeviceB-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] commit

# Configure Device C.

[~DeviceC] interface gigabitethernet 0/1/3

[*DeviceC-GigabitEthernet0/1/3] undo shutdown

[*DeviceC-GigabitEthernet0/1/3] portswitch

[*DeviceC-GigabitEthernet0/1/3] port link-type trunk

[*DeviceC-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceC-GigabitEthernet0/1/3] quit

[*DeviceC] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] ip address 192.168.3.1 24

[*PE1-GigabitEthernet0/1/3] undo shutdown

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet 0/1/3

[*PE2-GigabitEthernet0/1/3] ip address 192.168.3.2 24

[*PE2-GigabitEthernet0/1/3] undo shutdown

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] ip address 192.168.1.2 24

[*PE3-GigabitEthernet0/1/2] undo shutdown

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] ip address 192.168.2.1 24

[*PE3-GigabitEthernet0/1/3] undo shutdown

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/1/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/1/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/1/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] mpls

[*PE1-GigabitEthernet0/1/2] mpls ldp

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] mpls

[*PE1-GigabitEthernet0/1/3] mpls ldp

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet0/1/3

[*PE2-GigabitEthernet0/1/3] mpls

[*PE2-GigabitEthernet0/1/3] mpls ldp

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] mpls

[*PE3-GigabitEthernet0/1/2] mpls ldp

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] mpls

[*PE3-GigabitEthernet0/1/3] mpls ldp

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] commit

After the configurations are complete, LDP sessions are set up between PEs. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

Use the command output on PE1 as an example.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network

 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and bind the dot1q VLAN tag termination sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE1-GigabitEthernet0/1/1.1] dot1q termination vid 20

[*PE1-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE2-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE2-GigabitEthernet0/1/1.1] dot1q termination vid 20

[*PE2-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/1/1.1

[*PE3-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination

[*PE3-GigabitEthernet0/1/1.1] dot1q termination vid 10

[*PE3-GigabitEthernet0/1/1.1] dot1q termination vid 20

[*PE3-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE3-GigabitEthernet0/1/1.1] quit

[*PE3] commit

When you run the dot1q termination command on an interface, make sure that the VLAN tag values of the two different sub-interfaces are different.

After the configurations are complete, run the display vsi name ldp1 verbose command on PE1. The command output shows that PWs to PE2 and PE3 are set up on the VSI named ldp1 and that the VSI status is up.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1

    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/1/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display dot1q information termination interface command to view information about the dot1q VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

Use the command output on PE1 as an example.

[*PE1] display dot1q information termination interface gigabitethernet 0/1/1

  GigabitEthernet0/1/1.1
    VSI bound
    Total QinQ Num: 2
      dot1q  termination vid 10
      dot1q  termination vid 20
    Total vlan-group Num: 0
    encapsulation dot1q-termination

Hosts attached to CE1, CE2, and CE3 can ping each other.

[~CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[~CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.4 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.5 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.1.6 255.255.255.0
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Access an L2VPN

This example shows how to configure the QinQ VLAN tag termination sub-interface to access a Layer 2 virtual private network (L2VPN). This configuration ensures that users communicate over the L2VPN using double-tagged packets.

Networking Requirements

On the network shown in Figure 1-744, the CEs connect to the PEs through the routers, and the routers access the L2VPN through QinQ VLAN tag termination sub-interfaces. The packets sent from the routers to the PEs carry two VLAN tags. QinQ VLAN tag termination sub-interfaces need to be configured on PE1, PE2, and PE3 and bound to VSIs or L2VCs to access the L2VPN, implementing interworking between CEs 1 through 6.

Figure 1-744 Typical networking for configuring the QinQ VLAN tag termination sub-interface to access an L2VPN

Interfaces 1 through 3 and sub-interface 1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using QinQ VLAN tag termination sub-interfaces so that CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as QinQ VLAN tag termination sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Layer 2 forwarding function on the CEs so that the packets sent by the CEs to the routers carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on the routers so that the packets sent by the routers to the PEs carry two VLAN tags.
Configure a VPLS network and QinQ VLAN tag termination sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and QinQ VLAN tag termination sub-interfaces on the PEs, and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Outer VLAN tag in the packets sent from the routers to the PEs
Names of the interfaces that connect the routers and the CEs
Names of the interfaces that connect the PEs and the routers

Names and IP addresses of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure the Layer 2 forwarding function on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 10

[*CE1-vlan10] quit

[*CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/1.1

[*CE1-GigabitEthernet0/1/1.1] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/1/1.1] vlan-type dot1q 10

[*CE1-GigabitEthernet0/1/1.1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] interface gigabitethernet 0/1/1.1

[*CE2-GigabitEthernet0/1/1.1] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/1/1.1] vlan-type dot1q 10

[*CE2-GigabitEthernet0/1/1.1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 10

[*CE3-vlan10] quit

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] interface gigabitethernet 0/1/1.1

[*CE3-GigabitEthernet0/1/1.1] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/1/1.1] vlan-type dot1q 10

[*CE3-GigabitEthernet0/1/1.1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] vlan 20

[*CE4-vlan20] quit

[*CE4] interface gigabitethernet 0/1/1

[*CE4-GigabitEthernet0/1/1] undo shutdown

[*CE4-GigabitEthernet0/1/1] quit

[*CE4] interface gigabitethernet 0/1/1.1

[*CE4-GigabitEthernet0/1/1.1] ip address 10.2.1.1 24

[*CE4-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*CE4-GigabitEthernet0/1/1.1] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] vlan 20

[*CE5-vlan20] quit

[*CE5] interface gigabitethernet 0/1/1

[*CE5-GigabitEthernet0/1/1] undo shutdown

[*CE5-GigabitEthernet0/1/1] quit

[*CE5] interface gigabitethernet 0/1/1.1

[*CE5-GigabitEthernet0/1/1.1] ip address 10.2.1.2 24

[*CE5-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*CE5-GigabitEthernet0/1/1.1] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] vlan 20

[*CE6-vlan20] quit

[*CE6] interface gigabitethernet 0/1/1

[*CE6-GigabitEthernet0/1/1] undo shutdown

[*CE6-GigabitEthernet0/1/1] quit

[*CE6] interface gigabitethernet 0/1/1.1

[*CE6-GigabitEthernet0/1/1.1] ip address 10.2.1.3 24

[*CE6-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*CE6-GigabitEthernet0/1/1.1] quit

[*CE6] commit

Configure the QinQ and Layer 2 forwarding functions on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan 100

[*DeviceA-vlan100] quit

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan 100

[*DeviceB-vlan100] quit

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/2

[*DeviceB-GigabitEthernet0/1/2] undo shutdown

[*DeviceB-GigabitEthernet0/1/2] portswitch

[*DeviceB-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceB-GigabitEthernet0/1/2] quit

[*DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type trunk

[*DeviceB-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan 100

[*DeviceC-vlan100] quit

[*DeviceC] interface gigabitethernet 0/1/1

[*DeviceC-GigabitEthernet0/1/1] undo shutdown

[*DeviceC-GigabitEthernet0/1/1] portswitch

[*DeviceC-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceC-GigabitEthernet0/1/1] quit

[*DeviceC] interface gigabitethernet 0/1/2

[*DeviceC-GigabitEthernet0/1/2] undo shutdown

[*DeviceC-GigabitEthernet0/1/2] portswitch

[*DeviceC-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceC-GigabitEthernet0/1/2] quit

[*DeviceC] interface gigabitethernet 0/1/3

[*DeviceC-GigabitEthernet0/1/3] undo shutdown

[*DeviceC-GigabitEthernet0/1/3] portswitch

[*DeviceC-GigabitEthernet0/1/3] port link-type trunk

[*DeviceC-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceC-GigabitEthernet0/1/3] quit

[*DeviceC] commit

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] ip address 192.168.3.1 24

[*PE1-GigabitEthernet0/1/3] undo shutdown

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet 0/1/3

[*PE2-GigabitEthernet0/1/3] ip address 192.168.3.2 24

[*PE2-GigabitEthernet0/1/3] undo shutdown

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] ip address 192.168.1.2 24

[*PE3-GigabitEthernet0/1/2] undo shutdown

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] ip address 192.168.2.1 24

[*PE3-GigabitEthernet0/1/3] undo shutdown

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/1/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/1/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/1/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] mpls

[*PE1-GigabitEthernet0/1/2] mpls ldp

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] mpls

[*PE1-GigabitEthernet0/1/3] mpls ldp

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet0/1/3

[*PE2-GigabitEthernet0/1/3] mpls

[*PE2-GigabitEthernet0/1/3] mpls ldp

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] mpls

[*PE3-GigabitEthernet0/1/2] mpls ldp

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] mpls

[*PE3-GigabitEthernet0/1/3] mpls ldp

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] commit

After the configurations are complete, LDP sessions are set up between PEs. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

Use the command output on PE1 as an example.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network

 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and bind the QinQ VLAN tag termination sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/1/1.1] qinq termination l2 symmetry

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE2-GigabitEthernet0/1/1.1] qinq termination l2 symmetry

[*PE2-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/1/1.1

[*PE3-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination

[*PE3-GigabitEthernet0/1/1.1] qinq termination l2 symmetry

[*PE3-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE3-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE3-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE3-GigabitEthernet0/1/1.1] quit

[*PE3] commit

When you run the qinq termination command on an interface, if the pe-vid values of the two different sub-interfaces are the same, make sure that the ce-vid values are different.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1

    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/1/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display qinq information termination interface command to view information about the QinQ VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

Use the command output on PE1 as an example.

[*PE1] display qinq information termination interface gigabitethernet 0/1/1

  GigabitEthernet0/1/1.1
    VSI bound
    qinq termination l2 symmetry
    Total QinQ Num: 2
      qinq termination pe-vid 100 ce-vid 10
      qinq termination pe-vid 100 ce-vid 20
    Total vlan-group Num: 0
    encapsulation qinq-termination

Hosts attached to CE1, CE2, and CE3 can ping each other.

[*CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[*CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 10
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 10
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 10
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 20
 ip address 10.2.1.1 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 20
 ip address 10.2.1.2 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 vlan-type dot1q 20
 ip address 10.2.1.3 255.255.255.0
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface to Support DHCP Relay

This example shows how to configure the dot1q VLAN tag termination sub-interface to support Dynamic Host Configuration Protocol (DHCP) relay so that the DHCP relay agent transmits DHCP request packets from DHCP clients to a DHCP server. This configuration enables the clients to dynamically obtain IP addresses from the DHCP server.

Networking Requirements

If the DHCP client and DHCP server belong to different sub-nets, you need to deploy a DHCP relay agent to forward DHCP request packets from the client to the server so that the client can dynamically obtain IP addresses from the DHCP server.

If a DHCP client connects to a DHCP relay agent through a VLAN tag termination sub-interface, you need to configure the sub-interface to support DHCP relay on the DHCP relay agent. Without the configuration, the DHCP relay agent considers the received user packets with VLAN tags to be invalid. As a result, the DHCP client cannot dynamically obtain IP addresses from a DHCP server.

On the network shown in Figure 1-745, a DHCP client and a DHCP server belong to different network segments. The DHCP client is connected to a DHCP relay agent through a CE and then connected to the DHCP server through the DHCP relay agent. The packets sent from the CE to the DHCP relay agent carry one VLAN tag. On the DHCP relay agent, the dot1q VLAN tag termination sub-interface needs to be configured to support DHCP relay, ensuring that the DHCP client can dynamically obtain an IP address from the DHCP server.

Figure 1-745 Typical networking for configuring the dot1q VLAN tag termination sub-interface to support DHCP relay

Interfaces 1 and 2 and sub-interface 1.1 in this example represent GE 0/1/1, GE 0/1/2, and GE 0/1/1.1, respectively.

Precautions

If the DHCP client sends broadcast packets, the interface that has DHCP relay enabled must support broadcast.

Configuration Roadmap

The configuration roadmap is as follows:

Create a VLAN and configure the Layer 2 forwarding function on the CE so that the packets sent from the CE to the DHCP relay agent carry one VLAN tag.
Configure DHCP relay on the DHCP relay agent and configure the dot1q VLAN tag termination sub-interface to support DHCP relay so that the DHCP client and server can communicate using DHCP packets.
Enable basic DHCP functions and configure an address pool on the DHCP server so that the DHCP server can assign IP addresses correctly.

Data Preparation

To complete the configuration, you need the following data:

User VLAN ID
Names of the interfaces that connect the CE and the DHCP client
Names and IP addresses of the interfaces that connect the DHCP relay agent and the CE
Names and IP addresses of the interfaces that connect the DHCP relay agent and the DHCP server
IP address pool range of the DHCP server

Procedure

Create a VLAN and configure the Layer 2 forwarding function on the CE.

<HUAWEI> system-view

[~HUAWEI] sysname CE

[*HUAWEI] commit

[~CE] vlan 10

[*CE-vlan10] quit

[*CE] interface gigabitethernet 0/1/1

[*CE-GigabitEthernet0/1/1] undo shutdown

[*CE-GigabitEthernet0/1/1] portswitch

[*CE-GigabitEthernet0/1/1] port link-type access

[*CE-GigabitEthernet0/1/1] port default vlan 10

[*CE-GigabitEthernet0/1/1] quit

[*CE] interface gigabitethernet 0/1/2

[*CE-GigabitEthernet0/1/2] undo shutdown

[*CE-GigabitEthernet0/1/2] portswitch

[*CE-GigabitEthernet0/1/2] port link-type trunk

[*CE-GigabitEthernet0/1/2] port trunk allow-pass vlan 10

[*CE-GigabitEthernet0/1/2] quit

[*CE] commit

Configure DHCP relay on the DHCP relay agent, and configure the dot1q VLAN tag termination sub-interface to support DHCP relay.
# Enable DHCP.
```
<HUAWEI> system-view
```
```
[~HUAWEI] sysname DHCP-Relay
```
```
[*HUAWEI] commit
```
```
[~DHCP-Relay] dhcp enable
```
```
[*DHCP-Relay] commit
```
# Assign an IP address to the network-side GE 0/1/2 on the DHCP relay agent.
```
[~DHCP-Relay] interface gigabitethernet 0/1/2
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] undo shutdown
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] ip address 192.168.2.1 24
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] quit
```
```
[*DHCP-Relay] commit
```
# Assign an IP address to the user-side GE 0/1/1.1 on the DHCP relay agent. This IP address must be on the same network segment as the IP address of the DHCP client.
```
[~DHCP-Relay] interface gigabitethernet 0/1/1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1] undo shutdown
```
```
[*DHCP-Relay-GigabitEthernet0/1/1] quit
```
```
[*DHCP-Relay] interface gigabitethernet 0/1/1.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] ip address 192.168.1.1 24
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] ip relay address 192.168.3.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] dhcp select relay
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] commit
```
# Configure the dot1q VLAN tag termination sub-interface to support DHCP relay.
```
[*DHCP-Relay] interface gigabitethernet 0/1/1.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] control-vid 1 dot1q-termination
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] dot1q termination vid 10
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] arp broadcast enable
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] quit
```
```
[*DHCP-Relay] commit
```
- If Option82 is not configured on the dot1q VLAN tag termination sub-interface on the DHCP relay agent, the sub-interface encapsulates only the smallest VLAN ID configured on it in DHCP packets and forwards the packets to DHCP clients.
  
  In this example, if dot1q termination vid 10 and dot1q termination vid 20 are configured on the dot1q VLAN tag termination sub-interface, the sub-interface encapsulates VLAN 10 in the DHCP packets and forwards the packets to the DHCP client. In this case, DHCP clients in VLAN 20 cannot obtain IP addresses.
- If Option82 is configured on the dot1q VLAN tag termination sub-interface on the DHCP relay agent, the sub-interface encapsulates the corresponding VLAN IDs in the DHCP packets and forwards the packets to DHCP clients.
Configure a DHCP server.
The configuration details are not provided here.
- When configuring the DHCP server, ensure that an IP address pool is configured on the DHCP server so that the DHCP server can assign IP addresses to DHCP clients.
- It is recommended that the address pool lease be configured to improve IP address utilization.
Verify the configuration.
After the configurations are complete, run the display dhcp relay address command on the DHCP relay agent to view the DHCP configuration on the interface that has DHCP relay enabled.
```
[~DHCP-Relay] display dhcp relay address all
```
```
** GigabitEthernet0/1/1.1 DHCP Relay Address  **
 Dhcp Option          Relay Agent IP       Server IP     
 *                    -                    192.168.3.1
```
The DHCP client can obtain an IP address from the DHCP server through the DHCP relay agent.

Configuration Files

Configuration file of the DHCP relay agent

#
 sysname DHCP-Relay
#
dhcp enable
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 ip address 192.168.1.1 255.255.255.0
 ip relay address 192.168.3.1
 dhcp select relay
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
return

Configuration file of the CE

#
 sysname CE
#
 vlan batch 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Support DHCP Relay

This example shows how to configure the QinQ VLAN tag termination sub-interface to support Dynamic Host Configuration Protocol (DHCP) relay so that the DHCP relay agent transmits DHCP request packets from DHCP clients to a DHCP server. This configuration enables the clients to dynamically obtain IP addresses from the DHCP server.

Networking Requirements

On the network shown in Figure 1-746, DHCP clients and a DHCP server belong to different network segments. The DHCP clients are connected to a DHCP relay agent through CE and then connected to the DHCP server through the DHCP relay agent. The packets sent from CE1 to the DHCP relay agent carry two VLAN tags. On the DHCP relay agent, the QinQ VLAN tag termination sub-interface needs to be configured to support DHCP relay, ensuring that DHCP clients can dynamically obtain IP addresses from the DHCP server.

Figure 1-746 Typical networking for configuring the QinQ VLAN tag termination sub-interface to support DHCP relay

Interfaces 1 through 3 and sub-interface 1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Precautions

If the DHCP client sends broadcast packets, the interface that has DHCP relay enabled must support broadcast.

Configuration Roadmap

The configuration roadmap is as follows:

Create VLANs and configure the Layer 2 forwarding function on CE2 and CE3 so that the packets sent from CE2 and CE3 to CE1 carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on CE1 so that the packets sent from CE1 to the DHCP relay agent carry two VLAN tags.
Configure DHCP relay on the DHCP relay agent and configure the QinQ VLAN tag termination sub-interface to support DHCP relay so that the DHCP clients and server can communicate using DHCP packets.
Enable basic DHCP functions and configure an address pool on the DHCP server so that the DHCP server can assign IP addresses correctly.

Data Preparation

To complete the configuration, you need the following data:

User VLAN IDs
Names of the interfaces that connect CE (CE2 and CE3) and DHCP clients
Names of interfaces that connect CE
Names and IP addresses of the interfaces that connect the DHCP relay agent and CE1
Names and IP addresses of the interfaces that connect the DHCP relay agent and the DHCP server
Outer VLAN tag in packets to be terminated by the QinQ VLAN tag termination sub-interfaces
IP address pool range of the DHCP server

Procedure

Create VLANs and configure the Layer 2 forwarding function on CE2 and CE3.

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/1/3

[*CE2-GigabitEthernet0/1/3] undo shutdown

[*CE2-GigabitEthernet0/1/3] portswitch

[*CE2-GigabitEthernet0/1/3] port link-type access

[*CE2-GigabitEthernet0/1/3] port default vlan 10

[*CE2-GigabitEthernet0/1/3] quit

[*CE2] interface gigabitethernet 0/1/1

[*CE2-GigabitEthernet0/1/1] undo shutdown

[*CE2-GigabitEthernet0/1/1] portswitch

[*CE2-GigabitEthernet0/1/1] port link-type trunk

[*CE2-GigabitEthernet0/1/1] port trunk allow-pass vlan 10

[*CE2-GigabitEthernet0/1/1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 20

[*CE3-vlan20] quit

[*CE3] interface gigabitethernet 0/1/3

[*CE3-GigabitEthernet0/1/3] undo shutdown

[*CE3-GigabitEthernet0/1/3] portswitch

[*CE3-GigabitEthernet0/1/3] port link-type access

[*CE3-GigabitEthernet0/1/3] port default vlan 20

[*CE3-GigabitEthernet0/1/3] quit

[*CE3] interface gigabitethernet 0/1/1

[*CE3-GigabitEthernet0/1/1] undo shutdown

[*CE3-GigabitEthernet0/1/1] portswitch

[*CE3-GigabitEthernet0/1/1] port link-type trunk

[*CE3-GigabitEthernet0/1/1] port trunk allow-pass vlan 20

[*CE3-GigabitEthernet0/1/1] quit

[*CE3] commit

Configure the QinQ and Layer 2 forwarding functions on CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 100

[*CE1-vlan100] quit

[*CE1] interface gigabitethernet 0/1/1

[*CE1-GigabitEthernet0/1/1] undo shutdown

[*CE1-GigabitEthernet0/1/1] portswitch

[*CE1-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*CE1-GigabitEthernet0/1/1] quit

[*CE1] interface gigabitethernet 0/1/2

[*CE1-GigabitEthernet0/1/2] undo shutdown

[*CE1-GigabitEthernet0/1/2] portswitch

[*CE1-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*CE1-GigabitEthernet0/1/2] quit

[*CE1] interface gigabitethernet 0/1/3

[*CE1-GigabitEthernet0/1/3] undo shutdown

[*CE1-GigabitEthernet0/1/3] portswitch

[*CE1-GigabitEthernet0/1/3] port link-type trunk

[*CE1-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*CE1-GigabitEthernet0/1/3] quit

[*CE1] commit

Configure DHCP relay on the DHCP relay agent, and configure the QinQ VLAN tag termination sub-interface to support DHCP relay.
# Enable DHCP.
```
<HUAWEI> system-view
```
```
[~HUAWEI] sysname DHCP-Relay
```
```
[*HUAWEI] commit
```
```
[~DHCP-Relay] dhcp enable
```
```
[*DHCP-Relay] commit
```
# Assign an IP address to the network-side GE 0/1/2 on the DHCP relay agent.
```
[~DHCP-Relay] interface gigabitethernet 0/1/2
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] undo shutdown
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] ip address 192.168.2.1 24
```
```
[*DHCP-Relay-GigabitEthernet0/1/2] quit
```
```
[*DHCP-Relay] commit
```
# Assign an IP address to the user-side GE 0/1/1.1 on the DHCP relay agent. This IP address must be on the same network segment as the IP address of the DHCP client.
```
[~DHCP-Relay] interface gigabitethernet 0/1/1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1] undo shutdown
```
```
[*DHCP-Relay-GigabitEthernet0/1/1] quit
```
```
[*DHCP-Relay] interface gigabitethernet 0/1/1.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] ip address 192.168.1.1 24
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] ip relay address 192.168.3.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] dhcp select relay
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] commit
```
# Configure the QinQ VLAN tag termination sub-interface to support DHCP relay.
```
[*DHCP-Relay] interface gigabitethernet 0/1/1.1
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] control-vid 1 qinq-termination
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 10
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] qinq termination pe-vid 100 ce-vid 20
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] dhcp option82 rebuild enable
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] arp broadcast enable
```
```
[*DHCP-Relay-GigabitEthernet0/1/1.1] quit
```
```
[*DHCP-Relay] commit
```
- When you run the qinq termination command on a main interface, the ce-vid values must be different if the pe-vid values of the two different sub-interfaces are the same.
- You need to run the dhcp option82 insert enable command or dhcp option82 rebuild enable command on the DHCP relay agent to enable the QinQ VLAN tag termination sub-interface to insert Option82 fields into DHCP packets.
  
  If Option82 is not configured on the dot1q VLAN tag termination sub-interface on the DHCP relay agent, the sub-interface encapsulates only the smallest VLAN ID configured on it in DHCP packets and forwards the packets to DHCP clients.
- After the DHCP relay agent sends a packets containing Option82 information to the DHCP server, the Offer or ACK message returned from the DHCP server must contain the Option82 information.
Configure a DHCP server.
The configuration details are not provided here.
- When configuring the DHCP server, ensure that an IP address pool is configured on the DHCP server so that the DHCP server can assign IP addresses to DHCP clients.
- It is recommended that the address pool lease be configured to improve IP address utilization.
Verify the configuration.
After the configurations are complete, run the display dhcp relay address command on the DHCP relay agent to view the DHCP configuration on the interface that has DHCP relay enabled.
```
[~DHCP-Relay] display dhcp relay address all
```
```
** GigabitEthernet0/1/1.1 DHCP Relay Address  **
 Dhcp Option          Relay Agent IP       Server IP     
 *                    -                    192.168.3.1
```
The DHCP client can obtain an IP address from the DHCP server through the DHCP relay agent.

Configuration Files

Configuration file of the DHCP relay agent

#
 sysname DHCP-Relay
#
dhcp enable
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 ip address 192.168.1.1 255.255.255.0
 ip relay address 192.168.3.1
 dhcp select relay
 dhcp option82 rebuild enable
 arp broadcast enable
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
return

Configuration file of CE1

#
 sysname CE1
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Configuration file of CE2

#
 sysname CE2
#
 vlan batch 10
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Configuration file of CE3

#
 sysname CE3
#
 vlan batch 10
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface to Support the Local Connection

This example shows how to configure the QinQ VLAN tag termination sub-interface to support the local connection. This configuration enables CEs to communicate with each other after being connected to the same virtual switching instance (VSI) on a PE through the sub-interface.

Networking Requirements

On the network shown in Figure 1-747, CE1 and CE2 are connected to PE1 through routers and access the virtual private LAN service (VPLS) network through PE1. The packets sent from Device A to PE1 carry two VLAN tags and the outer VLAN tags are the same. Because the packets received by the user-side interface of PE1 have the same outer VLAN tag, this user-side interface does not forward these packets. As a result, users from different VLANs cannot communicate in the same VSI. QinQ VLAN tag termination sub-interfaces need to be configured to support the local connection on the PEs, ensuring communication between the CEs.

Figure 1-747 Typical networking for configuring the QinQ VLAN tag termination sub-interface to support the local connection

Interfaces 1 through 3 and sub-interface 3.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/3.1, respectively.

Precautions

If the packets received by the user-side interface of PE1 are forwarded through this interface, GE 0/1/3 and GE 0/1/1 on Device A will learn the same MAC address and therefore cannot forward packets correctly. Therefore, MAC address learning must be disabled on Device A that is connected to the user-side interface of PE1.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses of interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs and configure the Layer 2 forwarding function on Device B and Device C so that the packets sent from Device B and Device C to Device A carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on Device A so that the packets sent from Device A to PE1 carry two VLAN tags.
Enable communication between different users in a VSI.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure QinQ VLAN tag termination sub-interfaces on the PEs, bind the sub-interfaces to a VSI to access the VPLS network, and configure the sub-interface on PE1 to support the local connection.
  Users can communicate in a VSI.
Disable MAC address learning on Device A to prevent two interfaces of Device A from learning the same MAC address.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Outer VLAN tag in the packets sent from Device A to PE1
Names of the interfaces that connect the routers and the CEs

Names of the interfaces that connect the routers

Names of the interfaces that connect router A and PE1
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure IP addresses of interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/1/3

[*CE1-GigabitEthernet0/1/3] undo shutdown

[*CE1-GigabitEthernet0/1/3] ip address 10.1.1.1 24

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/1/3

[*CE2-GigabitEthernet0/1/3] undo shutdown

[*CE2-GigabitEthernet0/1/3] ip address 10.1.1.2 24

[*CE2] commit

Create VLANs and configure the Layer 2 forwarding function on Device B and Device C.

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan 10

[*DeviceB-vlan10] quit

[*DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type access

[*DeviceB-GigabitEthernet0/1/3] port default vlan 10

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port link-type trunk

[*DeviceB-GigabitEthernet0/1/1] port trunk allow-pass vlan 10

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan 20

[*DeviceC-vlan20] quit

[*DeviceC] interface gigabitethernet 0/1/3

[*DeviceC-GigabitEthernet0/1/3] undo shutdown

[*DeviceC-GigabitEthernet0/1/3] portswitch

[*DeviceC-GigabitEthernet0/1/3] port link-type access

[*DeviceC-GigabitEthernet0/1/3] port default vlan 20

[*DeviceC-GigabitEthernet0/1/3] quit

[*DeviceC] interface gigabitethernet 0/1/1

[*DeviceC-GigabitEthernet0/1/1] undo shutdown

[*DeviceC-GigabitEthernet0/1/1] portswitch

[*DeviceC-GigabitEthernet0/1/1] port link-type trunk

[*DeviceC-GigabitEthernet0/1/1] port trunk allow-pass vlan 20

[*DeviceC-GigabitEthernet0/1/1] quit

[*DeviceC] commit

Configure the QinQ and Layer 2 forwarding functions on Device A.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan 100

[*DeviceA-vlan100] quit

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 100

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/1

[*PE2-GigabitEthernet0/1/1] ip address 192.168.1.2 24

[*PE2-GigabitEthernet0/1/1] undo shutdown

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 6       Routes : 7
Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface

      1.1.1.9/32    Direct 0    0           D  127.0.0.1       LoopBack1
      2.2.2.9/32    OSPF   10   2           D  192.168.3.2     GigabitEthernet0/1/1
  192.168.1.0/30    Direct 0    0           D  192.168.1.1     GigabitEthernet0/1/1
  192.168.1.1/32    Direct 0    0           D  127.0.0.1       GigabitEthernet0/1/1
  192.168.1.2/32    Direct 0    0           D  192.168.1.2     GigabitEthernet0/1/1
     127.0.0.0/8    Direct 0    0           D  127.0.0.1       InLoopBack0
    127.0.0.1/32    Direct 0    0           D  127.0.0.1       InLoopBack0

Enable basic MPLS capabilities and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] mpls

[*PE1-GigabitEthernet0/1/1] mpls ldp

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/1/1

[*PE2-GigabitEthernet0/1/1] mpls

[*PE2-GigabitEthernet0/1/1] mpls ldp

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] commit

After the configurations are complete, LDP sessions are set up between PEs, run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

Use the command output on PE1 as an example.

[~PE1] display mpls ldp session

LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
 ------------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:00:09  37/37
 ------------------------------------------------------------------------------
 TOTAL: 1 session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

Bind the QinQ VLAN tag termination sub-interface to a VSI, and configure the sub-interface to support the local connection.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 1

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/1/3.1

[*PE1-GigabitEthernet0/1/3.1] control-vid 1 qinq-termination local-switch

[*PE1-GigabitEthernet0/1/3.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/1/3.1] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/1/3.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/1/3.1] quit

[*PE1] commit

# Configure PE2 in the same way as PE1.

When you run the qinq termination command on an interface, if the pe-vid values of the two different sub-interfaces are the same, make sure that the ce-vid values are different.

After the configuration is complete, run the display vsi command on PE1 and PE2. The command outputs show that the VSI status is up. Use the command output on PE1 as an example.

[~PE1] display vsi

Total VSI number is 1, 1 is up, 0 is down, 1 is LDP mode, 0 is BGP mode

Vsi                             Mem    PW   Mac       Encap     Mtu   Vsi
Name                            Disc   Type Learn     Type      Value State
--------------------------------------------------------------------------
ldp1                            static ldp  unqualify vlan      1500  up

Disable MAC address learning on Device A.

[~DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] mac-address learning disable

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] undo mac-address

[*DeviceA] commit

Verify the configuration.

After the configurations are complete, CE1 and CE2 can ping each other.

Use CE1 as an example.

[~CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time = 2 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time = 2 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time = 2 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time = 2 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time = 2 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/2 ms

Run the display mac-address command to check the MAC address entries on PE1. The command output shows that PE1 has learned the MAC addresses of GE 0/1/3 of CE1 and CE2 and the VLAN IDs in the outer and inner VLAN tags. In addition, the VLAN IDs in the outer VLAN tags are the same.

[*PE1] display mac-address dynamic

MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address    VLAN/BD/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID
               VSI/SI/EVPN                                             MAC-Tunnel
-------------------------------------------------------------------------------
00e0-fc12-3457 v1             100    20     GE0/1/3         dynamic   4/65546
00e0-fc12-3456 v1             100    10     GE0/1/3         dynamic   4/65556
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 2

Run the display arp interface command on the CEs, and you can find that the ARP entries of the CEs are correct.

Use the command output on CE1 as an example.

[*CE1] display arp interface gigabitethernet 0/1/3

ARP timeout:1200s
IP ADDRESS      MAC ADDRESS  EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE
                                       VLAN PVC
------------------------------------------------------------------------------
10.1.1.1        00e0-fc12-3456         I    GigabitEthernet0/1/3
10.1.1.2        00e0-fc12-3457  14     D    GigabitEthernet0/1/3
------------------------------------------------------------------------------
Total:2         Dynamic:1       Static:0    Interface:1    Remote:0

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 1
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
#
interface GigabitEthernet0/1/3.1
 encapsulation qinq-termination local-switch
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 100
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 20
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
return

Example for Configuring the QinQ Stacking Sub-interface to Access an L2VPN

This example shows how to configure the QinQ stacking sub-interface to access a Layer 2 virtual private network (L2VPN). This configuration allows a physical interface to provide access services for multiple users.

Networking Requirements

On the network shown in Figure 1-748, CEs belong to different VLANs and are connected to PEs through routers. The packets sent from the CEs to the routers do not carry any VLAN tag, and the packets sent from the routers to the PEs carry one VLAN tag. QinQ stacking sub-interfaces need to be configured on the PEs and bound to a virtual switching instance (VSI) or a virtual private wire service (VPWS) to access an L2VPN, allowing the PEs to provide access services for multiple users and the CEs to communicate.

Figure 1-748 Typical networking for configuring the QinQ stacking sub-interface to access an L2VPN

Interfaces 1 through 3 and sub-interface 1.1 in this example represent GE 0/1/1, GE 0/1/2, GE 0/1/3, and GE 0/1/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using QinQ stacking sub-interfaces so that PEs can provide access services for multiple users and CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as QinQ stacking sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses of interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs and configure the Layer 2 forwarding function on the routers so that the packets sent from the routers to the PEs carry one VLAN tag.
Configure a VPLS network and QinQ stacking sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and QinQ stacking sub-interfaces on the PEs and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names of the interfaces that connect the routers and the CEs
Names of the interfaces that connect the PEs and the routers

Names of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure IP addresses of interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/1/3

[*CE1-GigabitEthernet0/1/3] undo shutdown

[*CE1-GigabitEthernet0/1/3] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/1/3] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/1/3

[*CE2-GigabitEthernet0/1/3] undo shutdown

[*CE2-GigabitEthernet0/1/3] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/1/3] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/1/3

[*CE3-GigabitEthernet0/1/3] undo shutdown

[*CE3-GigabitEthernet0/1/3] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/1/3] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/1/3

[*CE4-GigabitEthernet0/1/3] undo shutdown

[*CE4-GigabitEthernet0/1/3] ip address 10.2.1.1 24

[*CE4-GigabitEthernet0/1/3] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] interface gigabitethernet 0/1/3

[*CE5-GigabitEthernet0/1/3] undo shutdown

[*CE5-GigabitEthernet0/1/3] ip address 10.2.1.2 24

[*CE5-GigabitEthernet0/1/3] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] interface gigabitethernet 0/1/3

[*CE6-GigabitEthernet0/1/3] undo shutdown

[*CE6-GigabitEthernet0/1/3] ip address 10.2.1.3 24

[*CE6-GigabitEthernet0/1/3] quit

[*CE6] commit

Create VLANs and configure the Layer 2 forwarding function on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/1/1

[*DeviceA-GigabitEthernet0/1/1] undo shutdown

[*DeviceA-GigabitEthernet0/1/1] portswitch

[*DeviceA-GigabitEthernet0/1/1] port link-type access

[*DeviceA-GigabitEthernet0/1/1] port default vlan 10

[*DeviceA-GigabitEthernet0/1/1] quit

[*DeviceA] interface gigabitethernet 0/1/2

[*DeviceA-GigabitEthernet0/1/2] undo shutdown

[*DeviceA-GigabitEthernet0/1/2] portswitch

[*DeviceA-GigabitEthernet0/1/2] port link-type access

[*DeviceA-GigabitEthernet0/1/2] port default vlan 20

[*DeviceA-GigabitEthernet0/1/2] quit

[*DeviceA] interface gigabitethernet 0/1/3

[*DeviceA-GigabitEthernet0/1/3] undo shutdown

[*DeviceA-GigabitEthernet0/1/3] portswitch

[*DeviceA-GigabitEthernet0/1/3] port link-type trunk

[*DeviceA-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/1/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/1/1

[*DeviceB-GigabitEthernet0/1/1] undo shutdown

[*DeviceB-GigabitEthernet0/1/1] portswitch

[*DeviceB-GigabitEthernet0/1/1] port link-type access

[*DeviceB-GigabitEthernet0/1/1] port default vlan 10

[*DeviceB-GigabitEthernet0/1/1] quit

[*DeviceB] interface gigabitethernet 0/1/2

[*DeviceB-GigabitEthernet0/1/2] undo shutdown

[*DeviceB-GigabitEthernet0/1/2] portswitch

[*DeviceB-GigabitEthernet0/1/2] port link-type access

[*DeviceB-GigabitEthernet0/1/2] port default vlan 20

[*DeviceB-GigabitEthernet0/1/2] quit

[*DeviceB] interface gigabitethernet 0/1/3

[*DeviceB-GigabitEthernet0/1/3] undo shutdown

[*DeviceB-GigabitEthernet0/1/3] portswitch

[*DeviceB-GigabitEthernet0/1/3] port link-type trunk

[*DeviceB-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/1/3] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan batch 10 20

[*DeviceC] interface gigabitethernet 0/1/1

[*DeviceC-GigabitEthernet0/1/1] undo shutdown

[*DeviceC-GigabitEthernet0/1/1] portswitch

[*DeviceC-GigabitEthernet0/1/1] port link-type access

[*DeviceC-GigabitEthernet0/1/1] port default vlan 10

[*DeviceC-GigabitEthernet0/1/1] quit

[*DeviceC] interface gigabitethernet 0/1/2

[*DeviceC-GigabitEthernet0/1/2] undo shutdown

[*DeviceC-GigabitEthernet0/1/2] portswitch

[*DeviceC-GigabitEthernet0/1/2] port link-type access

[*DeviceC-GigabitEthernet0/1/2] port default vlan 20

[*DeviceC-GigabitEthernet0/1/2] quit

[*DeviceC] interface gigabitethernet 0/1/3

[*DeviceC-GigabitEthernet0/1/3] undo shutdown

[*DeviceC-GigabitEthernet0/1/3] portswitch

[*DeviceC-GigabitEthernet0/1/3] port link-type trunk

[*DeviceC-GigabitEthernet0/1/3] port trunk allow-pass vlan 10 20

[*DeviceC-GigabitEthernet0/1/3] quit

[*DeviceC] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] ip address 192.168.3.1 24

[*PE1-GigabitEthernet0/1/3] undo shutdown

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet 0/1/3

[*PE2-GigabitEthernet0/1/3] ip address 192.168.3.2 24

[*PE2-GigabitEthernet0/1/3] undo shutdown

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] ip address 192.168.1.2 24

[*PE3-GigabitEthernet0/1/2] undo shutdown

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] ip address 192.168.2.1 24

[*PE3-GigabitEthernet0/1/3] undo shutdown

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

Use the command output on PE1 as an example.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/1/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/1/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/1/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/1/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/1/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/1/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] mpls

[*PE1-GigabitEthernet0/1/2] mpls ldp

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/3

[*PE1-GigabitEthernet0/1/3] mpls

[*PE1-GigabitEthernet0/1/3] mpls ldp

[*PE1-GigabitEthernet0/1/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] interface gigabitethernet0/1/3

[*PE2-GigabitEthernet0/1/3] mpls

[*PE2-GigabitEthernet0/1/3] mpls ldp

[*PE2-GigabitEthernet0/1/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/1/2

[*PE3-GigabitEthernet0/1/2] mpls

[*PE3-GigabitEthernet0/1/2] mpls ldp

[*PE3-GigabitEthernet0/1/2] quit

[*PE3] interface gigabitethernet 0/1/3

[*PE3-GigabitEthernet0/1/3] mpls

[*PE3-GigabitEthernet0/1/3] mpls ldp

[*PE3-GigabitEthernet0/1/3] quit

[*PE3] commit

After the configurations are complete, LDP sessions are set up between PEs. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

Use the command output on PE1 as an example.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network

 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and QinQ stacking sub-interfaces and bind these sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] qinq stacking vid 10

[*PE1-GigabitEthernet0/1/1.1] qinq stacking vid 20

[*PE1-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] qinq stacking vid 10

[*PE2-GigabitEthernet0/1/1.1] qinq stacking vid 20

[*PE2-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/1/1.1

[*PE3-GigabitEthernet0/1/1.1] qinq stacking vid 10

[*PE3-GigabitEthernet0/1/1.1] qinq stacking vid 20

[*PE3-GigabitEthernet0/1/1.1] l2 binding vsi ldp1

[~PE3-GigabitEthernet0/1/1.1] quit

[*PE3] commit

When you configure the QinQ stacking sub-interfaces, specify only the VLAN IDs in the inner VLAN tags. The outer VLAN tag is automatically assigned by the system.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1

    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/1/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display qinq information stacking interface command to view information about QinQ stacking sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

Use the command output on PE1 as an example.

[*PE1] display qinq information stacking interface gigabitethernet 0/1/1

  GigabitEthernet0/1/1.1
    VSI bound
    Total QinQ Num: 2
      qinq Stacking vid 10
      qinq Stacking vid 20
    Total vlan-group Num: 0

Hosts attached to CE1, CE2, and CE3 can ping each other.

[~CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[*CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 0/1/223 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/1/1
 undo shutdown
#
interface GigabitEthernet0/1/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 10 20
#
interface GigabitEthernet0/1/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/1/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.2.1.1 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.2.1.3 255.255.255.0
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-Interface in a VSI to Support IGMP Snooping

You can configure a QinQ VLAN tag termination sub-interface to support Internet Group Management Protocol (IGMP) snooping on only Layer 2 interfaces rather than Layer 3 interfaces.

Networking Requirements

On the network shown in Figure 1-749, Multicast protocol packets are labeled with an outer tag and an inner tag on CE1 and CE2 respectively, and then sent to PE1. After receiving the packets, PE1 terminates two tags, and then accesses the virtual private LAN service (VPLS) network in an asymmetrical manner. PE2 terminates the pseudowire (PW), joins the related multicast VLAN, and accesses the multicast source.

PE2 functions as a Superstratum PE (SPE) device, and PE1 functions an Underlayer PE (UPE) device. When the hierarchical virtual private LAN service (HVPLS) is deployed, multicast packets are broadcast in a virtual switching instance (VSI) if PE1 and PE2 do not support IGMP snooping. This wastes network resources.

After IGMP snooping is configured, multicast packets are sent to only access devices of multicast receivers.

On the network with a stable topology, the PW on PE1 is configured as a static router interface in the VSI. Therefore, receivers can steadily receive multicast data.

To reduce the number of IGMP Query packets from the upstream router, you are advised to configure PE2 as a querier. This saves bandwidths.

Figure 1-749 Networking diagram for configuring the QinQ VLAN tag termination sub-interface to support IGMP snooping over VPLS

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.

Device	Interface	IP Address
PE1	GE0/1/2	-
	GE0/1/1	192.168.12.1/24
	Loopback1	1.1.1.1/32
P	GE0/1/0	192.168.12.2/24
	GE0/1/1	192.168.23.1/24
	Loopback 2	2.2.2.2/32
PE2	GE0/1/2	192.168.23.2/24
	GE0/1/1	-
	Loopback3	3.3.3.3/32

Configuration Roadmap

The configuration roadmap is as follows:

Configure the termination mode on PE1 to be the user termination mode.
Configure basic VPLS functions.
Enable global IGMP snooping and IGMP snooping for a VSI.
Bind a VSI to an AC interface on PE1 and PE2 respectively.
Configure a PW on PE1, P, and PE2, and PE1, P, and PE2 accesses the VPLS network in asymmetrical mode.
Configure static router ports and configure PE2 as a querier.

Data Preparation

To complete the configuration, you need the following data:

Multicast VLAN ID: 10
CE1's VLAN ID: 20; CE2's VLAN ID: 100
VSI name: v123; VSI ID: 123
PE1's Multiprotocol Label Switching (MPLS) LSR ID: 1.1.1.1; P's MPLS LSR ID: 2.2.2.2; PE2's MPLS LSR ID: 1.1.1.1

Procedure

Configure QinQ termination on PE1.

<HUAWEI> system-view

[*HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface gigabitethernet 0/1/2.1

[*PE1-GigabitEthernet0/1/2.1] control-vid 10 qinq-termination

[*PE1-GigabitEthernet0/1/2.1] qinq termination l2 asymmetry

[*PE1-GigabitEthernet0/1/2.1] qinq termination pe-vid 20 ce-vid 100

[*PE1-GigabitEthernet0/1/2.1] commit

[~PE1-GigabitEthernet0/1/2.1] quit

Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to advertise routes. When configuring OSPF, advertise the 32-bit loopback interface addresses of PE1 and PE2.

# Configure PE1.

[*PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.1 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] ip address 192.168.12.1 24

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.12.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] commit

[~PE1-ospf-1] quit

# Configure P.

<HUAWEI> system-view

[*HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface loopback 2

[*P-LoopBack2] ip address 2.2.2.2 32

[*P-LoopBack2] quit

[*P] interface gigabitethernet 0/1/0

[*P-GigabitEthernet0/1/0] ip address 192.168.12.2 24

[*P-GigabitEthernet0/1/0] undo shutdown

[*P-GigabitEthernet0/1/0] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] ip address 192.168.23.1 24

[*P-GigabitEthernet0/1/1] undo shutdown

[*P-GigabitEthernet0/1/1] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.12.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.23.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] commit

[~P-ospf-1] quit

# Configure PE2.

<HUAWEI> system-view

[*HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 3

[*PE2-LoopBack3] ip address 3.3.3.3 32

[*PE2-LoopBack3]quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.23.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.23.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] commit

[~PE2-ospf-1] quit

Configure basic MPLS functions and LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.1

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] mpls

[*PE1-GigabitEthernet0/1/1] mpls ldp

[*PE1-GigabitEthernet0/1/1]commit

[~PE1-GigabitEthernet0/1/1]quit

# Configure PE2.

[*PE2] mpls lsr-id 3.3.3.3

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2]commit

[~PE2-GigabitEthernet0/1/2]quit

# Configure P.

[*P] mpls lsr-id 2.2.2.2

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet 0/1/0

[*P-GigabitEthernet0/1/0] mpls

[*P-GigabitEthernet0/1/0] mpls ldp

[*P-GigabitEthernet0/1/0] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] mpls

[*P-GigabitEthernet0/1/1] mpls ldp

[*P-GigabitEthernet0/1/1] commit

[~P-GigabitEthernet0/1/1] quit

Enable MPLS L2VPN and configure a VSI.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] vsi v123 static

[*PE1-vsi-v123] pwsignal ldp

[*PE1-vsi-v123-ldp] vsi-id 123

[*PE1-vsi-v123-ldp] peer 3.3.3.3

[*PE1-vsi-v123-ldp] quit

[*PE1-vsi-v123] commit

[~PE1-vsi-v123] quit

# Configure PE2.

[*PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] vsi v123 static

[*PE2-vsi-v123] pwsignal ldp

[*PE2-vsi-v123-ldp] vsi-id 123

[*PE2-vsi-v123-ldp] peer 1.1.1.1 upe

[*PE2-vsi-v123-ldp] quit

[*PE2-vsi-v123] commit

[~PE2-vsi-v123] quit

Configure remote MPLS LDP sessions for PE1 and PE2.

# Configure PE1.

[*PE1] mpls ldp remote-peer PE2

[*PE1-mpls-ldp-remote-PE2] remote-ip 3.3.3.3

[*PE1-mpls-ldp-remote-PE2] commit

[~PE1-mpls-ldp-remote-PE2] quit

# Configure PE2.

[*PE2] mpls ldp remote-peer PE1

[*PE2-mpls-ldp-remote-PE1] remote-ip 1.1.1.1

[*PE2-mpls-ldp-remote-PE1] commit

[~PE2-mpls-ldp-remote-PE1] quit

Bind the interface to the VSI on a PE.

# Configure PE1. The configurations of GE 0/1/1 on PE2 are similar to the configuration of PE1, and are not mentioned here.

[*PE1] vlan 10

[*PE1-vlan10] quit

[*PE1] interface gigabitethernet 0/1/2.1

[*PE1-GigabitEthernet0/1/2.1] l2 binding vsi v123

[*PE1-GigabitEthernet0/1/2.1] commit

[~PE1-GigabitEthernet0/1/2.1] quit

Enable global IGMP snooping on the PE1 and PE2 and IGMP snooping in the VSI.
# Configure PE1. The configurations of PE2 are similar to the configuration of PE1 and are not mentioned here.
```
[*PE1] igmp-snooping enable
```
```
[*PE1] vsi v123
```
```
[*PE1-vsi-v123] igmp-snooping enable
```
```
[*PE1-vsi-v123] igmp-snooping version 3
```
```
[*PE1-vsi-v123] commit
```
```
[~PE1-vsi-v123] quit
```

Configure the PW on PE1 as a static router port, and configure the querier on PE2. The default values are used for the querier and therefore no special configuration is required.

# Configure PE1.

[*PE1] vsi v123

[*PE1-vsi-v123] igmp-snooping static-router-port remote-peer 3.3.3.3

[*PE1-vsi-v123] commit

[~PE1-vsi-v123] quit

[*PE1] quit

# Configure PE2.

[*PE2] igmp-snooping send-query enable

[*PE2] vsi v123

[*PE2-vsi-v123] igmp-snooping querier enable

[*PE2-vsi-v123] quit

[*PE2] interface Gigabitethernet0/1/1

[*PE2-GigabitEthernet0/1/1] portswitch

[*PE2-GigabitEthernet0/1/1] port default vlan 10

[*PE2-GigabitEthernet0/1/1] igmp-snooping static-router-port vlan 10

[*PE2-GigabitEthernet0/1/1] quit

[*PE2] interface Gigabitethernet0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] vlan-type dot1q 11

[*PE2-GigabitEthernet0/1/1.1] l2 binding vsi v123

[*PE2-GigabitEthernet0/1/1.1] igmp-snooping static-router-port vsi v123

[*PE2-GigabitEthernet0/1/1.1] quit

[*PE2] commit

[~PE2] quit

Verify the configuration.

Run the display qinq information termination interface command on PE1, and you can view information about the configured QinQ sub-interface.

<PE1> display qinq information termination interface gigabitethernet 0/1/2

  GigabitEthernet 0/1/2.1
    VSI bound
    Total QinQ Num: 1
      qinq termination pe-vid 20 ce-vid 100
    Total vlan-group Num: 0
    encapsulation qinq-termination

Run the display mpls ldp session command, and you view that MPLS LDP sessions on PE1, P, and PE2 are in the Operational state.

The following uses the command output on PE1 as an example.

<PE1>display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.2:0          Operational DU   Passive  0000:03:11   767/767
 3.3.3.3:0          Operational DU   Passive  0000:03:05   743/743
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

Run the display igmp-snooping querier vsi command on PE2, and you can check whether the configuration of the querier succeeds. If the Enable state is displayed in the following output, it indicates that the querier is enabled for VSI v123.

<PE2> display igmp-snooping querier vsi v123

VSI                             Querier-state Querier
---------------------------------------------------------------
v123                            Enable       192.168.0.1

Run the display igmp-snooping router-port vsi command on PE1, and you can check whether the configuration of the static router port succeeds. If STATIC is displayed as shown in the following output, it indicates that PW (1.1.1.1/123) is configured as a static router port.

<PE1> display igmp-snooping router-port vsi v123

 Port Name                            UpTime        Expires       Flags
 --------------------------------------------------------------------------
 VSI v123, 1 router-port(s)
 PW(3.3.3.3/123)                      00:49:14      --            STATIC

Run the display igmp-snooping port-info command on PE1, and you can view information about multicast VLAN tags and multicast groups on a specified QinQ interface.

<PE1> display igmp-snooping port-info

 -------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -------------------------------------------------------------------------------
 VSI v123, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)                                        P--
                                      GE0/1/2.1(PE:20/CE:100)               S--
                                                        1 port(s) include
 -------------------------------------------------------------------------------

Configuration Files

PE1 configuration file

#
sysname PE1
#
vlan batch 10
#
igmp-snooping enable
igmp-snooping send-query enable
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls l2vpn
#
vsi v123 static
 pwsignal ldp
  vsi-id 123
  peer 3.3.3.3
 igmp-snooping enable
 igmp-snooping version 3
 igmp-snooping static-router-port remote-peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer pe2
 remote-ip 3.3.3.3
#
interface Gigabitethernet0/1/2.1
 encapsulation qinq-termination
 qinq termination pe-vid 20 ce-vid 100
 l2 binding vsi v123
 l2-multicast static-group source-address 1.1.1.1 group-address 234.1.1.1 qinq pe-vid 20 ce-vid 100 vsi v123
#
interface Gigabitethernet0/1/1
 undo shutdown
 ip address 192.168.12.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 192.168.12.0 0.0.0.255
#
return

P configuration file

#
sysname P
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Gigabitethernet0/1/0
 undo shutdown
 ip address 192.168.12.2 255.255.255.0
 mpls
 mpls ldp
#
interface Gigabitethernet0/1/1
 undo shutdown
 ip address 192.168.23.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack2
 ip address 2.2.2.2 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 192.168.12.0 0.0.0.255
  network 192.168.23.0 0.0.0.255
#
return

PE2 configuration file

#
sysname PE2
#
vlan batch 10
#
igmp-snooping enable
igmp-snooping send-query enable
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls l2vpn
#
vsi v123 static
 pwsignal ldp
  vsi-id 123
  peer 1.1.1.1
 igmp-snooping enable
 igmp-snooping querier enable
#
mpls ldp
#
mpls ldp remote-peer pe1
 remote-ip 1.1.1.1
#
interface Gigabitethernet0/1/2
 undo shutdown
 ip address 192.168.23.2 255.255.255.0
 mpls
 mpls ldp
 dcn
#
interface Gigabitethernet0/1/1
 portswitch
 undo shutdown
 port default vlan 10
 igmp-snooping static-router-port vlan 10
#
interface Gigabitethernet0/1/1.1
 vlan-type dot1q 11
 l2 binding vsi v123
 igmp-snooping static-router-port vsi v123
#
interface LoopBack3
 ip address 3.3.3.3 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 192.168.23.0 0.0.0.255
#
return

CE1 configuration file

#
 sysname CE1
#
 vlan batch 20
#
interface Gigabitethernet0/1/2
 portswitch
 port vlan-stacking vlan 100 stack-vlan 20
#
interface Gigabitethernet0/1/1
 portswitch
 port trunk allow-pass vlan 20
#
return

CE2 configuration file

#
 sysname CE2
#
 vlan batch 100
#
interface Gigabitethernet0/1/2
 portswitch
 port default vlan 100
#
interface Gigabitethernet0/1/1
 portswitch
 port trunk allow-pass vlan 100
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-Interface in a VSI to Support IGMP Snooping

You can configure a dot1q VLAN tag termination sub-interface to support Internet Group Management Protocol (IGMP) on only the router's Layer 3 interfaces rather than Layer 2 interfaces.

Networking Requirements

On the network shown in Figure 1-750, CE1 labels each multicast protocol packet received from hosts with one tag, and then sends the packets to PE1. After the dot1q VLAN tag termination sub-interface is configured on PE1, PE1 accesses the virtual private LAN service (VPLS) network. After terminating the pseudo wire (PW), PE2 joins the related multicast VLAN and accesses the multicast source.

After IGMP snooping is configured, multicast packets are sent to only access devices of multicast receivers.

In a stable network, the PW on PE1 is configured as a static router port in the VSI. In this manner, receivers can steadily receive the multicast data.

To reduce the number of IGMP Query packets from the upstream router, you are advised to configure PE2 as a querier. This saves bandwidths.

Figure 1-750 Networking diagram of configuring the dot1q VLAN tag termination sub-interface in a VSI to support IGMP snooping

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.

Device	Interface	IP Address
PE1	GE0/1/2	-
PE1	GE0/1/1	192.168.12.1/24
PE1	Loopback1	1.1.1.1/32
P	GE0/1/0	192.168.12.2/24
P	GE0/1/1	192.168.23.1/24
P	Loopback2	2.2.2.2/32
PE2	GE0/1/2	192.168.23.2/24
PE2	GE0/1/1	-
PE2	Loopback3	3.3.3.3/32

Configuration Roadmap

The configuration roadmap is as follows:

Configure the termination mode on PE1 to be the user termination mode.
Configure basic VPLS functions.
Enable global IGMP snooping and IGMP snooping for a VSI.
Bind a VSI to an AC interface on PE1 and PE2 respectively.
Configure a PW on PE1, P, and PE2, and PE1, P, and PE2 accesses the VPLS network in asymmetrical mode.
Configure static router ports and configure PE2 as a querier.

Data Preparation

To complete the configuration, you need the following data:

PE1's multicast VLAN ID: 20; PE2's multicast VLAN ID: 10
CE1's VLAN ID: 20
VSI name: v123; VSI ID: 123
PE1's Multiprotocol Label Switching (MPLS) LSR ID: 1.1.1.1; P's MPLS LSR ID: 2.2.2.2; PE2's MPLS LSR ID: 1.1.1.1

Procedure

Configure dot1q termination on PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface gigabitethernet 0/1/2

[*PE1-GigabitEthernet0/1/2] undo shutdown

[*PE1-GigabitEthernet0/1/2] quit

[*PE1] interface gigabitethernet 0/1/2.1

[*PE1-GigabitEthernet0/1/2.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/1/2.1] dot1q termination vid 20

[*PE1-GigabitEthernet0/1/2.1] commit

[~PE1-GigabitEthernet0/1/2.1] quit

Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to advertise routes. When configuring OSPF, advertise the 32-bit loopback interface addresses of PE1, P, and PE2.

# Configure PE1.

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.1 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] ip address 192.168.12.1 24

[*PE1-GigabitEthernet0/1/1] undo shutdown

[*PE1-GigabitEthernet0/1/1] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.12.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] commit

[~PE1-ospf-1] quit

# Configure P.

<HUAWEI> system-view

[~HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface loopback 2

[*P-LoopBack2] ip address 2.2.2.2 32

[*P-LoopBack2] quit

[*P] interface gigabitethernet 0/1/0

[*P-GigabitEthernet0/1/0] ip address 192.168.12.2 24

[*P-GigabitEthernet0/1/0] undo shutdown

[*P-GigabitEthernet0/1/0] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] ip address 192.168.23.1 24

[*P-GigabitEthernet0/1/1] undo shutdown

[*P-GigabitEthernet0/1/1] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.12.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.23.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] commit

[~P-ospf-1] quit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 3

[*PE2-LoopBack3] ip address 3.3.3.3 32

[*PE2-LoopBack3] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] ip address 192.168.23.2 24

[*PE2-GigabitEthernet0/1/2] undo shutdown

[*PE2-GigabitEthernet0/1/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.23.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] commit

[~PE2-ospf-1] quit

Configure basic MPLS functions and LDP.

# Configure PE1.

[~PE1] mpls lsr-id 1.1.1.1

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/1/1

[*PE1-GigabitEthernet0/1/1] mpls

[*PE1-GigabitEthernet0/1/1] mpls ldp

[*PE1-GigabitEthernet0/1/1]commit

[~PE1-GigabitEthernet0/1/1]quit

# Configure PE2.

[~PE2] mpls lsr-id 3.3.3.3

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/1/2

[*PE2-GigabitEthernet0/1/2] mpls

[*PE2-GigabitEthernet0/1/2] mpls ldp

[*PE2-GigabitEthernet0/1/2]commit

[~PE2-GigabitEthernet0/1/2]quit

# Configure P.

[~P] mpls lsr-id 2.2.2.2

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet 0/1/0

[*P-GigabitEthernet0/1/0] mpls

[*P-GigabitEthernet0/1/0] mpls ldp

[*P-GigabitEthernet0/1/0] quit

[*P] interface gigabitethernet 0/1/1

[*P-GigabitEthernet0/1/1] mpls

[*P-GigabitEthernet0/1/1] mpls ldp

[*P-GigabitEthernet0/1/1] commit

[~P-GigabitEthernet0/1/1] quit

Enable MPLS L2VPN and configure a VSI.

# Configure PE1.

[~PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] vsi v123 static

[*PE1-vsi-v123] pwsignal ldp

[*PE1-vsi-v123-ldp] vsi-id 123

[*PE1-vsi-v123-ldp] peer 3.3.3.3

[*PE1-vsi-v123-ldp] quit

[*PE1-vsi-v123] commit

[~PE1-vsi-v123] quit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] vsi v123 static

[*PE2-vsi-v123] pwsignal ldp

[*PE2-vsi-v123-ldp] vsi-id 123

[*PE2-vsi-v123-ldp] peer 1.1.1.1 upe

[*PE2-vsi-v123-ldp] quit

[*PE2-vsi-v123] commit

[~PE2-vsi-v123] quit

Configure remote MPLS LDP sessions for PE1 and PE2.

# Configure PE1.

[~PE1] mpls ldp remote-peer PE2

[*PE1-mpls-ldp-remote-PE2] remote-ip 3.3.3.3

[*PE1-mpls-ldp-remote-PE2] commit

[~PE1-mpls-ldp-remote-PE2] quit

# Configure PE2.

[~PE2] mpls ldp remote-peer PE1

[*PE2-mpls-ldp-remote-PE1] remote-ip 1.1.1.1

[*PE2-mpls-ldp-remote-PE1] commit

[~PE2-mpls-ldp-remote-PE1] quit

Bind the interface on a PE.

# Configure PE1.

[~PE1] vlan 1

[*PE1-vlan1] quit

[*PE1] interface gigabitethernet 0/1/2.1

[*PE1-GigabitEthernet0/1/2.1] l2 binding vsi v123

[*PE1-GigabitEthernet0/1/2.1] commit

[~PE1-GigabitEthernet0/1/2.1] quit

# Configure PE2.

[~PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] vlan-type dot1q 20

[*PE1-GigabitEthernet0/1/1.1] l2 binding vsi v123

[*PE2-GigabitEthernet0/1/1.1] commit

[~PE2-GigabitEthernet0/1/1.1] quit

Enable IGMP snooping on PE1 and PE2 in the VSI.

# Configure PE1. The configurations of PE2 are similar to the configuration of PE1 and are not mentioned here.

[~PE1] igmp-snooping enable

[*PE1] vsi v123

[*PE1-vsi-v123] igmp-snooping enable

[*PE1-vsi-v123] igmp-snooping version 3

[*PE1-vsi-v123] commit

[~PE1-vsi-v123] quit

Configure the PW on PE1 as a static router port, and configure the querier on PE2. The default values are used for the querier.

# Configure PE1.

[~PE1] vsi v123

[*PE1-vsi-v123] igmp-snooping static-router-port remote-peer 3.3.3.3

[*PE1-vsi-v123] commit

[~PE1-vsi-v123] quit

[*PE1] quit

# Configure PE2.

[~PE2] igmp-snooping send-query enable

[*PE2] vsi v123

[*PE2-vsi-v123] igmp-snooping querier enable

[*PE2-vsi-v123] commit

[~PE2-vsi-v123] quit

[*PE2] quit

Verify the configuration.

Run the display dot1q information termination interface command on PE1, and you can view information about the configured dot1q VLAN tag termination sub-interface.

The following example uses the command output on PE1.

[~PE1] display dot1q information termination interface gigabitethernet 0/1/2.1

  GigabitEthernet 0/1/2.1
    Total QinQ Num: 1
      dot1q termination vid 20
    Total vlan-group Num: 0
    encapsulation dot1q-termination

Run the display mpls ldp session command, and you view that MPLS LDP sessions on PE1, P, and PE2 are in the Operational state.

Take the display of PE1 as an example.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network

 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.2:0          Operational DU   Passive  0000:00:04   19/19
 3.3.3.3:0          Operational DU   Passive  0000:00:03   17/16
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

[~PE2] display igmp-snooping querier vsi v123

VSI                             Querier-state Querier
---------------------------------------------------------------
v123                            Enable       192.168.0.1

[~PE1] display igmp-snooping router-port vsi v123

 Port Name                            UpTime        Expires       Flags
 --------------------------------------------------------------------------
 VSI v123, 1 router-port(s)
 PW(3.3.3.3/123)                      00:09:16      --            STATIC

Run the display igmp-snooping port-info command on PE1, and you can view information about multicast VLAN tags and multicast groups on a specified dot1q interface.

[~PE1] display igmp-snooping port-info

 -------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -------------------------------------------------------------------------------
 VSI v123, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)                                        P--
                                      GE0/1/2.1(PE:20)                      S--
                                                        1 port(s) include
 -------------------------------------------------------------------------------

Configuration Files

PE1 configuration file

#
sysname PE1
#
vlan batch 20
#
igmp-snooping enable
igmp-snooping send-query enable
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls l2vpn
#
vsi v123 static
 pwsignal ldp
  vsi-id 123
  peer 3.3.3.3
 igmp-snooping enable
 igmp-snooping version 3
 igmp-snooping static-router-port remote-peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer pe2
 remote-ip 3.3.3.3
#
interface Gigabitethernet0/1/2
 undo shutdown
#
interface Gigabitethernet0/1/2.1
 encapsulation dot1q-termination
 dot1q termination vid 20
 l2 binding vsi v123
#
interface Gigabitethernet0/1/1
 undo shutdown
 ip address 192.168.12.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 192.168.12.0 0.0.0.255
#
return

P configuration file

#
sysname P
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Gigabitethernet0/1/0
 undo shutdown
 ip address 192.168.12.2 255.255.255.0
 mpls
 mpls ldp
#
interface Gigabitethernet0/1/1
 undo shutdown
 ip address 192.168.23.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack2
 ip address 2.2.2.2 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 192.168.12.0 0.0.0.255
  network 192.168.23.0 0.0.0.255
#     
return

PE2 configuration file

#
sysname PE2
#
vlan batch 10
#
igmp-snooping enable
igmp-snooping send-query enable
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls l2vpn
#
vsi 123
#
vsi v123 static
 pwsignal ldp
  vsi-id 123
  peer 1.1.1.1
 igmp-snooping enable
 igmp-snooping version 3
 igmp-snooping querier enable
#
mpls ldp
#
mpls ldp remote-peer pe1
 remote-ip 1.1.1.1
#
interface Gigabitethernet0/1/2
 undo shutdown
 ip address 192.168.23.2 255.255.255.0
 mpls
 mpls ldp
#
interface Gigabitethernet0/1/1
 undo shutdown 
#
interface Gigabitethernet0/1/1.1
 vlan-type dot1q 20
 l2 binding vsi v123
 igmp-snooping static-router-port vsi v123
#
interface LoopBack3
 ip address 3.3.3.3 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 192.168.23.0 0.0.0.255
#
return

CE1 configuration file

#
 sysname CE1
#
 vlan batch 20
#
interface Gigabitethernet0/1/2
 portswitch
 port default vlan 20
#
interface Gigabitethernet0/1/1
 portswitch
 port trunk allow-pass vlan 20
#
return

Example for Configuring QinQ VLAN Tag Termination Sub-Interfaces to Statically Join Multicast Groups

Networking Requirements

On the network shown in Figure 1-751, configure a QinQ VLAN tag termination sub-interface on PE1 to statically join multicast groups, to make the Receiver receive multicast data sent from the Source.

Figure 1-751 Configuring QinQ VLAN tag termination sub-interfaces to statically join multicast groups

Interfaces 1 through 3 and sub-interface 2.1 in this example represent GE 0/1/0, GE 0/1/8, GE 0/1/16, and GE 0/1/8.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure Open Shortest Path First (OSPF) on the backbone network to implement interworking between PEs.
Configure the basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs and establish the MPLS Label Switched Paths (LSPs) between the PEs.
Configure the VPN instance on the PE and bind VPN instance with the interface to Source and the interface to Receiver.
Configure Multiprotocol Internal Border Gateway Protocol (MP-IBGP) to exchange the VPN routing information between the PEs.
Configure QinQ VLAN tag termination sub-interfaces to statically join multicast groups.

Data Preparation

To configure QinQ VLAN tag termination sub-interfaces to statically join multicast groups, you need the following data:

PE's MPLS LSR-ID: 1.1.1.9; P's MPLS LSR-ID: 2.2.2.9,3.3.3.9
VPN instance name: vpna; RDs: 100:1 and 100:2; VPN-Target: 111:1
VLAN ID in an outer VLAN tag of the QinQ VLAN tag termination sub-interface: 1; VLAN ID in an inner VLAN tag of the QinQ VLAN tag termination sub-interface: 1 or 2

Procedure

Configure basic BGP/MPLS IP VPN.
The specific configuration procedures are omitted here.

Configure a VPN instance on each PE, configure a QinQ VLAN tag termination sub-interface, and bind the interface to the VPN instance.

# Configure PE1.

# Configure a VPN instance.

[*PE1] ip vpn-instance vpna

[*PE1-vpn-instance-vpna] ipv4-family

[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1

[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both

[*PE1-vpn-instance-vpna-af-ipv4] quit

[*PE1-vpn-instance-vpna] commit

[~PE1-vpn-instance-vpna] quit

# Bind the VPN instance with the interface to the Source.

[*PE1] interface gigabitethernet 0/1/0

[*PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna

[*PE1-GigabitEthernet0/1/0] ip address 10.1.1.2 24

[*PE1-GigabitEthernet0/1/0] commit

[~PE1-GigabitEthernet0/1/0] quit

# Create a QinQ VLAN tag termination sub-interface, bind the VPN instance to the QinQ VLAN tag termination sub-interface.

[*PE1] interface gigabitethernet 0/1/8.1

[*PE1-GigabitEthernet0/1/8.1] ip binding vpn-instance vpna

[*PE1-GigabitEthernet0/1/8.1] commit

[~PE1-GigabitEthernet0/1/8.1] quit

# Configure VLAN ID on the QinQ VLAN tag termination sub-interface.

[*PE1] interface gigabitethernet 0/1/8.1

[*PE1-GigabitEthernet0/1/8.1] control-vid 10 qinq-termination

[*PE1-GigabitEthernet0/1/8.1] qinq termination pe-vid 1 ce-vid 1 to 2

[*PE1-GigabitEthernet0/1/8.1] ip address 10.2.1.2 24

[*PE1-GigabitEthernet0/1/8.1] commit

[~PE1-GigabitEthernet0/1/8.1] quit

# Configure PE2.

# Configure a VPN instance.

[*PE2] ip vpn-instance vpna

[*PE2-vpn-instance-vpna] ipv4-family

[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2

[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both

[*PE2-vpn-instance-vpna-af-ipv4] quit

[*PE2-vpn-instance-vpna] commit

[~PE2-vpn-instance-vpna] quit

# Bind the VPN instance with the GE 0/1/0 of PE2.

[*PE2] interface gigabitethernet 0/1/0

[*PE2-GigabitEthernet0/1/0] ip binding vpn-instance vpna

[*PE2-GigabitEthernet0/1/0] ip address 10.3.1.2 24

[*PE2-GigabitEthernet0/1/0] commit

[~PE2-GigabitEthernet0/1/0] quit

Add the route of the Source and the route of the Receiver to VPN routing-table.

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] ipv4-family vpn-instance vpna

[*PE1-bgp-vpna] import-route direct

[*PE1-bgp-vpna] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[*PE2] bgp 100

[*PE2-bgp] ipv4-family vpn-instance vpna

[*PE2-bgp-vpna] import-route direct

[*PE2-bgp-vpna] quit

[*PE2-bgp] quit

[*PE2] commit

After the configuration above, run the display ip routing-table vpn-instance command on PE1. The route of the Source and the route of the Receiver are added to VPN routing-table.

[~PE1] display ip routing-table vpn-instance vpna

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpna
         Destinations : 8        Routes : 8

Destination/Mask    Proto   Pre  Cost        Flags NextHop         Interface

       10.1.1.0/24  Direct  0    0             D  10.1.1.2        GigabitEthernet0/1/0
       10.1.1.2/32  Direct  0    0             D  127.0.0.1       GigabitEthernet0/1/0
     10.1.1.255/32  Direct  0    0             D  127.0.0.1       GigabitEthernet0/1/0
       10.2.1.0/24  Direct  0    0             D  10.2.1.2        GigabitEthernet0/1/8.1
       10.2.1.2/32  Direct  0    0             D  127.0.0.1       GigabitEthernet0/1/8.1
     10.2.1.255/32  Direct  0    0             D  127.0.0.1       GigabitEthernet0/1/8.1
       10.3.1.0/24  IBGP    255  0             RD 3.3.3.9         LDP LSP
255.255.255.255/32  Direct  0    0             D  127.0.0.1       InLoopBack0

Configure multicast routing-enable in the public network instance on PE1, P and PE2.

# Configure PE1.

[*PE1] multicast routing-enable

[*PE1] commit

# Configure P.

[*P] multicast routing-enable

[*P] commit

# Configure PE2.

[*PE2] multicast routing-enable

[*PE2] commit

Configure multicast basic function.

# Configure PIM-SM in the public network.

# Configure PE1.

[~PE1] interface gigabitethernet 0/1/16

[*PE1-GigabitEthernet0/1/16] pim sm

[*PE1-GigabitEthernet0/1/16] quit

[*PE1] interface loopback 1

[*PE1-LoopBack1] pim sm

[*PE1-LoopBack1] quit

[*PE1] commit

# Configure P.

[~P] interface gigabitethernet 0/1/0

[*P-GigabitEthernet0/1/0] pim sm

[*P-GigabitEthernet0/1/0] quit

[*P] interface gigabitethernet 0/1/8

[*P-GigabitEthernet0/1/8] pim sm

[*P-GigabitEthernet0/1/8] quit

[*P] interface loopback 1

[*P-LoopBack1] pim sm

[*P-LoopBack1] quit

[*P] commit

# Configure PE2.

[~PE2] interface gigabitethernet 0/1/16

[*PE2-GigabitEthernet0/1/16] pim sm

[*PE2-GigabitEthernet0/1/16] quit

[*PE2] interface loopback 1

[*PE2-LoopBack1] pim sm

[*PE2-LoopBack1] quit

[*PE2] commit

# Configure RP in the public network instance.

[~P] pim

[*P] c-bsr loopback 1

[*P] c-rp loopback 1

[*P] commit

# Configure IGMP on the main interface to the Receiver.

[~PE1] interface gigabitethernet 0/1/8

[*PE1-GigabitEthernet0/1/8] igmp enable

[*PE1-GigabitEthernet0/1/8] quit

[*PE1] commit

Configure QinQ VLAN tag termination sub-interfaces to statically join multicast groups.

[~PE1] interface gigabitethernet 0/1/8.1

[*PE1-GigabitEthernet0/1/8.1] igmp static-group 225.0.0.1 inc-step-mask 0.0.0.1 number 17 qinq pe-vid 1 ce-vid 1 to 2

[*PE1-GigabitEthernet0/1/8.1] quit

[*PE1] commit

Verify the configuration.

After the configuration, run the display pim vpn-instance vpna routing-table command on PE1 to check the multicast routing-table information.

Run the display igmp-snooping qinq-port-info interface gigabitethernet 0/1/8.1 to check the multicast group information on the QinQ VLAN tag termination sub-interface.

<PE1> display igmp-snooping qinq-port-info interface gigabitethernet 0/1/8.1
 Interface GigabitEthernet0/1/8.1, 17 Group(s)
 (Source,Group)                            PE-VID/CE-VID LiveTime           Flag
 -------------------------------------------------------------------------------
 (*,225.0.0.1)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.2)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.3)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.4)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.5)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.6)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.7)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.8)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.9)                             1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.10)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.11)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.12)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.13)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.14)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.15)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.16)                            1/1           --------           S--
                                           1/2           --------           S--
 (*,225.0.0.17)                            1/1           --------           S--
                                           1/2           --------           S--

Configuration Files

PE1 configuration file

#
sysname PE1
#
router id 1.1.1.9
#
multicast routing-enable
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  apply-label per-instance
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip binding vpn-instance vpna
 ip address 10.1.1.2 255.255.255.0
 pim sm
#
interface GigabitEthernet0/1/8
 undo shutdown
 pim sm
 igmp enable
 dcn
#
interface GigabitEthernet0/1/8.1
 ip binding vpn-instance vpna
 ip address 10.2.1.2 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 1 ce-vid 1 to 2
 igmp static-group 225.0.0.1 inc-step-mask 0.0.0.1 number 17 qinq pe-vid 1 ce-vid 1 to 2
#
interface GigabitEthernet0/1/16
 undo shutdown
 ip address 172.16.1.1 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
 pim sm
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
 peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 172.16.1.0 0.0.0.255
#
return

P configuration file

#
sysname P
#
router id 2.2.2.9
#
multicast routing-enable
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/1/8
 undo shutdown
 ip address 172.17.1.1 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 172.16.1.2 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
 pim sm
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 172.16.1.0 0.0.0.255
  network 172.17.1.0 0.0.0.255
#
pim
 c-bsr LoopBack1
 c-rp LoopBack1
#
return

PE2 configuration file

#
sysname PE2
#
router id 3.3.3.9
#
multicast routing-enable
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:2
  apply-label per-instance
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip binding vpn-instance vpna
 ip address 10.3.1.2 255.255.255.0
 pim sm
 undo dcn
#
interface GigabitEthernet0/1/16
 undo shutdown
 ip address 172.17.1.2 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
 pim sm
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.3.1.1 as-number 65430
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 172.17.1.0 0.0.0.255
#
return

Example for Configuring Untagged+DSCP for L3VPN Access

This section provides an example of networking in which PE1 receives untagged packets carrying different differentiated services code point (DSCP) priorities. You can configure untagged+DSCP on the attachment circuit (AC)-side sub-interfaces of PE1 and bind these sub-interfaces to different virtual private network (VPN) instances. This configuration allows PE1 to forward packets to different VPN instances based on their DSCP priorities, differentiating services in VPN instances. In this example, the cell site gateway (CSG) transmits IP services.

Networking Requirements

On a metropolitan area network (MAN), virtual local area network (VLAN) IDs are usually used to differentiate services or users, and traffic is distributed to different virtual switching instances (VSIs), virtual private wire Services (VPWSs), or VPN instances. When user or service packets do not carry VLAN tags, VLAN IDs cannot be used to differentiate the users or services, and traffic cannot be distributed based on the VLAN IDs. As a result, some high-priority traffic does not get scheduled properly when passing the carrier network, affecting user experience.

On the network shown in Figure 1-752, packets forwarded by the CSG do not carry VLAN tags, so PE1 cannot differentiate the packets based on VLAN IDs. In this situation, traffic cannot be distributed to different VPN instances for transmission. To address this problem, deploy VLAN policies (untagged+DSCP) on PE1 so that PE1 can distribute packets to different VPN instances based on their DSCP priorities, ensuring that the packets get scheduled properly.

In this example, PE1 parses the DSCP priorities in packets.

The DSCP field is carried in IP packets. To deploy VLAN policies (untagged+DSCP), ensure that the CSG transmits IP services.

Figure 1-752 Networking for untagged+DSCP for L3VPN access

Interfaces 1 through 3 in this example represent GE 0/1/1, GE 0/1/2, and GE 0/1/3, respectively.

Device	Interface	IP Address
CE1	GE0/1/1.1	192.168.1.2/24
CE1	GE0/1/1.2	172.16.1.2/24
CE2	GE0/1/1	192.168.2.2/24
CE3	GE0/1/1	172.17.1.2/24
PE1	GE0/1/1.1	192.168.1.1/24
	GE0/1/1.2	172.16.1.1/24
	GE0/1/2	10.1.1.2/30
	GE0/1/3	10.10.1.2/30
	Loopback1	1.1.1.9/32
PE2	GE0/1/1.1	192.168.2.1/24
	GE0/1/2	10.1.1.1/30
	Loopback1	2.2.2.9/32
PE3	GE0/1/1.1	172.17.1.1/24
	GE0/1/2	10.10.1.1/30
	Loopback1	3.3.3.9/32

Configuration Roadmap

The configuration roadmap is as follows:

Configure basic Layer 3 virtual private network (L3VPN) functions.
1. Enable an Interior Gateway Protocol (IGP) on the backbone network for communication between routers on the backbone network.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP), and set up MPLS label switched paths (LSPs) on the backbone network.
3. Set up LSPs between the provider edges (PEs).
4. Create VPN instances on the PEs.
Configure VLAN policies (untagged+DSCP) and bind AC-side sub-interfaces of the PEs to the VPN instances.
Configure basic Layer 2 forwarding functions on the CSG.
Configure External Border Gateway Protocol (EBGP) on the customer edges (CEs) and PEs to exchange VPN routing information.
Establish Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationships between the PEs.

Data Preparation

To complete the configuration, you need the following data:

IP address of each interface
Names of the VPN instances on the PEs
Route distinguishers (RDs) and VPN targets of the VPN instances
Numbers of the interfaces that are bound to the VPN instances

Procedure

Configure basic L3VPN functions.

Configure an IP address for each interface of the CEs and PEs as shown in Figure 1-752. For details, see configuration files in this example.

Configure an IGP on the MPLS backbone network. Open Shortest Path First (OSPF) is used in this example.

For details, see configuration files in this example.

After OSPF is configured, PE1 has an OSPF route to Loopback 1 of PE2 and another OSPF route to Loopback 1 of PE3. PE2 and PE3 each have an OSPF route to Loopback 1 of PE1. In addition, the PEs can ping each other.

<PE1> display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------
Routing Table: Public
         Destinations : 9        Routes : 9

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

      1.1.1.9/32    Direct 0    0             D   127.0.0.1       LoopBack1
      2.2.2.9/32    OSPF   10   1             D   10.1.1.1        GigabitEthernet0/1/2
      3.3.3.9/32    OSPF   10   1             D   10.10.1.1       GigabitEthernet0/1/3
     10.1.1.0/30    Direct 0    0             D   10.1.1.2        GigabitEthernet0/1/2
     10.1.1.2/32    Direct 0    0             D   127.0.0.1       GigabitEthernet0/1/2
    10.10.1.0/30    Direct 0    0             D   10.10.1.2       GigabitEthernet0/1/3
    10.10.1.2/32    Direct 0    0             D   127.0.0.1       GigabitEthernet0/1/3
     127.0.0.0/8    Direct 0    0             D   127.0.0.1       InLoopBack0
    127.0.0.1/32    Direct 0    0             D   127.0.0.1       InLoopBack0

<PE1> ping 2.2.2.9

PING 2.2.2.9: 56  data bytes, press CTRL_C to break
    Reply from 2.2.2.9: bytes=56 Sequence=1 ttl=255 time=120 ms
    Reply from 2.2.2.9: bytes=56 Sequence=2 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=3 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=4 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=5 ttl=255 time=90 ms

  --- 2.2.2.9 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 90/96/120 ms

Enable basic MPLS functions and LDP on the MPLS backbone network.

For details, see configuration files in this example.

After MPLS LSPs are set up, LDP sessions are set up between PE1 and PE2 and between PE1 and PE3. The display mpls ldp session command output shows that the Status field is Operational.

<PE1> display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
 ------------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:00:00  3/3
 3.3.3.9:0          Operational DU   Passive  0000:00:00  2/2
 ------------------------------------------------------------------------------
 TOTAL: 2 session(s) Found.

Configure VPN instances.

# Configure PE1.

<PE1> system-view

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 100:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 100:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] commit

[~PE1-vpn-instance-vpn2-af-ipv4] quit

# Configure PE2.

<PE2> system-view

[*PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] commit

[~PE2-vpn-instance-vpn1-af-ipv4] quit

# Configure PE3.

<PE3> system-view

[*PE3] ip vpn-instance vpn2

[*PE3-vpn-instance-vpn2] route-distinguisher 100:2

[*PE3-vpn-instance-vpn2-af-ipv4] vpn-target 100:2 both

[*PE3-vpn-instance-vpn2-af-ipv4] commit

[~PE3-vpn-instance-vpn2-af-ipv4] quit

Configure VLAN policies (untagged+DSCP) and bind AC-side sub-interfaces of the PEs to the VPN instances.

# Configure PE1.

<PE1> system-view

[*PE1] interface gigabitethernet 0/1/1.1

[*PE1-GigabitEthernet0/1/1.1] untagged dscp 3

[*PE1-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/1/1.1] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/1/1.1] quit

[*PE1] interface gigabitethernet 0/1/1.2

[*PE1-GigabitEthernet0/1/1.2] untagged dscp 2

[*PE1-GigabitEthernet0/1/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/1/1.2] ip address 172.16.1.1 24

[*PE1-GigabitEthernet0/1/1.2] commit

[~PE1-GigabitEthernet0/1/1.2] quit

# Configure PE2.

<PE2> system-view

[*PE2] interface gigabitethernet 0/1/1.1

[*PE2-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/1/1.1] ip address 192.168.2.1 24

[*PE2-GigabitEthernet0/1/1.1] commit

[~PE2-GigabitEthernet0/1/1.1] quit

# Configure PE3.

<PE3> system-view

[*PE3] interface gigabitethernet 0/1/1.1

[*PE3-GigabitEthernet0/1/1.1] ip binding vpn-instance vpn2

[*PE3-GigabitEthernet0/1/1.1] ip address 172.17.1.1 24

[*PE3-GigabitEthernet0/1/1.1] commit

[~PE3-GigabitEthernet0/1/1.1] quit

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

The command output on PE1 is provided as an example.

[*PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0

  VPN-Instance Name and ID : vpn1, 1
  Address family ipv4
  Create date : 2009/09/01 17:22:49
  Up time : 0 days, 00 hours, 11 minutes and 46 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets :  100:1
  Import VPN Targets :  100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe
  Log Interval : 5
  Interfaces : GigabitEthernet0/1/1.1

  VPN-Instance Name and ID : vpn2, 2
  Address family ipv4
  Create date : 2009/09/01 17:27:07
  Up time : 0 days, 00 hours, 07 minutes and 28 seconds
  Route Distinguisher : 100:2
  Export VPN Targets :  200:2
  Import VPN Targets :  200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe
  Log Interval : 5
  Interfaces : GigabitEthernet0/1/1.2

Configure basic functions on the CSG.
The configuration details are not provided here. The CSG must meet the following conditions:
- Support for DSCP priority configuration using commands.
Establish EBGP peer relationships between the PEs and CEs and import VPN routes.
For details, see the chapter "BGP/MPLS IP VPN Configuration" in the NetEngine 8000 F Configuration Guide - VPN or Configuration Files in this example.
Establish MP-IBGP peer relationships between the PEs.
For details, see the chapter "BGP/MPLS IP VPN Configuration" in the NetEngine 8000 F Configuration Guide - VPN or Configuration Files in this example.

Verify the configuration.

After completing the configurations, run the display bgp peer command on the PEs. The command outputs show that the MP-IBGP peer relationships have been established between the PEs and are in Established state.

The command output on PE1 is used as an example.

[*PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 2                 Peers in established state : 2

  Peer        V      AS  MsgRcvd  MsgSent  OutQ  Up/Down    State       PrefRcv

  2.2.2.9     4      100    10     15       0    00:04:53   Established   0
  3.3.3.9     4      100    6      11       0    00:01:06   Established   2

Run the display ip routing-table vpn-instance command on the PEs to view the routes to peer CEs.

The command output on PE1 is provided as an example.

[*PE1] display ip routing-table vpn-instance vpn1

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route ------------------------------------------------------------------------------
Routing Table: vpn1
         Destinations : 3        Routes : 3

Destination/Mask   Proto  Pre  Cost      Flags NextHop       Interface

  192.168.1.0/24   Direct 0    0         D     192.168.1.1   GigabitEthernet0/1/1.1
  192.168.1.1/32   Direct 0    0         D     127.0.0.1     GigabitEthernet0/1/1.1
  192.168.2.0/24   BGP    255  0         RD    2.2.2.9       GigabitEthernet0/1/2

[*PE1] display ip routing-table vpn-instance vpn2

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table: vpn1
         Destinations : 3        Routes : 3

Destination/Mask   Proto  Pre  Cost      Flags NextHop       Interface

   172.16.1.0/24   Direct 0    0         D     172.16.1.1    GigabitEthernet0/1/1.2
   172.16.1.1/32   Direct 0    0         D     127.0.0.1     InLoopBack0
   172.17.1.0/24   BGP    255  0         RD    3.3.3.9       GigabitEthernet0/1/3

Run the display interface vlan command to view the VLAN policy configured on a specified interface.

The command output on PE1 is provided as an example.

[*PE1] display interface gigabitethernet0/1/1 vlan untagged

Interface           VlanPolicy
-----------------------------------------------------------
GE0/1/1.2           dscp 2
GE0/1/1.1           dscp 3
-----------------------------------------------------------
Interface:GE0/1/1 VLAN ID: UNTAGGED Sub-Interface num: 2

Configuration Files

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
ip vpn-instance vpn2
 route-distinguisher 100:2
 apply-label per-instance
 vpn-target 100:2 export-extcommunity
 vpn-target 100:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/1/1.1
 untagged dscp 3
 ip binding vpn-instance vpn1
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1/1.2
 untagged dscp 2
 ip binding vpn-instance vpn2
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 10.1.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.10.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 2.2.2.9 as-number 100
 peer 2.2.2.9 connect-interface LoopBack1
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
  peer 2.2.2.9 enable
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 2.2.2.9 enable
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 192.168.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 172.16.1.2 as-number 65410
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 10.1.1.0 0.0.0.3
  network 10.10.1.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
 mpls lsr-id 2.2.2.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn1
 ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
 peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 192.168.2.2 as-number 65420
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 10.1.1.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
ip vpn-instance vpn2
 route-distinguisher 100:2
 apply-label per-instance
 vpn-target 100:2 export-extcommunity
 vpn-target 100:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/1/1.1
 ip binding vpn-instance vpn2
 ip address 172.17.1.1 255.255.255.0
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 10.10.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 172.17.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 10.10.1.0 0.0.0.3
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/1/1.1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
bgp 65410
 peer 192.168.1.1 as-number 100
#
interface GigabitEthernet0/1/2.1
 undo shutdown
 ip address 172.16.1.2 255.255.255.0
bgp 65410
 peer 172.16.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.1.1 enable
  peer 172.16.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/1/1.1
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
bgp 65420
 peer 192.168.2.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.2.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/1/1.1
 undo shutdown
 ip address 172.17.1.2 255.255.255.0
bgp 65421
 peer 172.17.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 172.17.1.1 enable
#
return

QinQ Description
QinQ Configuration

Translation

Favorite

Download

Update Date：2022-11-28

Document ID：EDOC1100279009

Downloads：1095

Average rating：0.0Points

Digital Signature File

digtal sigature tool