NetEngine A821 E V800R023C00SPC500 Configuration Guide

QinQ Configuration

802.1Q-in-802.1Q (QinQ) is a technology that addresses the shortage of public VLAN ID resources. This technology applies to a number of services in metropolitan area network (MAN) implementation.

Overview of QinQ
Feature Requirements for QinQ
Summary of QinQ Configuration Tasks
Configuring the QinQ Function
Configuring QinQ-based VLAN Tag Swapping
Configuring QinQ Mapping
- Configuring 1 to 1 QinQ Mapping
- Verifying the QinQ Mapping Configuration
Configuring IP Services on a VLAN Tag Termination Sub-Interface
Configuring a VLAN Tag Termination Sub-interface to Transmit the VPN Service
Configuring Multicast Services on a VLAN Tag Termination Sub-interface
Configuring an L2VPN Service on a QinQ Stacking Sub-interface
Maintaining QinQ
- Clearing QinQ Statistics
- Monitoring the QinQ Operating Status
Configuration Examples for QinQ

Overview of QinQ

The 802.1Q-in-802.1Q (QinQ) technology improves the utilization of VLANs by adding another 802.1Q tag to tagged packets. This technology enables services from private VLANs to be transparently transmitted over the public network. Packets transmitted on the backbone network carry two 802.1Q tags: a public VLAN tag and a private VLAN tag.

QinQ Background

During intercommunication between Layer 2 LANs based on the traditional IEEE 802.1Q protocol, when two user networks access each other through a carrier network, the carrier must assign VLAN IDs to users of different VLANs, as shown in Figure 1. User Network1 and User Network2 access the backbone network through PE1 and PE2 of a carrier network respectively.

Figure 1-375 Intercommunication between Layer 2 LANs using the traditional IEEE 802.1Q protocol

To connect VLAN 100 - VLAN 200 on User Network1 to VLAN 100 - VLAN 200 on User Network2, interfaces connecting CE1, PE1, the P, PE2, and CE2 can be configured to function as trunk interfaces and to allow packets from VLAN 100 - VLAN 200 to pass through.

This configuration, however, makes user VLANs visible on the backbone network and wastes the carrier's VLAN ID resources (4094 VLAN IDs are used). In addition, the carrier has to manage user VLAN IDs, and users do not have the right to plan their own VLANs.

The 12-bit VLAN tag defined in IEEE 802.1Q identifies only a maximum of 4096 VLANs, unable to isolate and identify mass users in the growing metro Ethernet (ME) network. QinQ is therefore developed to expand the VLAN space by adding another 802.1Q tag to an 802.1Q tagged packet. In this way, the number of VLANs increases to 4096 x 4096.

Since the QinQ technology is easy to use, it has been widely applied on ISP networks. For example, it is used by multiple services on the metro Ethernet.After the emergence of selective QinQ/VLAN stacking, QinQ services became more popular with carriers. It isolates private VLANs from public VLANs, maximally conserving VLAN ID resources on carrier networks. As the metro Ethernet develops, different vendors propose their own metro Ethernet solutions. QinQ with its simplicity and flexibility, plays important roles in metro Ethernet solutions.

QinQ Definition

802.1Q-in-802.1Q (QinQ) is a technology that adds another layer of IEEE 802.1Q tag to the 802.1Q tagged packets entering the network. This technology expands the VLAN space by tagging the tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network.

Figure 1-376 shows a typical QinQ application. The private VLANs on User Network 1 range from VLAN 100 to VLAN 200, and the private VLANs on User Network 2 range from VLAN 400 to VLAN 500. If a carrier allows VLAN users to communicate over the carrier network, the carrier must assign a different VLAN ID for each VLAN. This requires a large number of VLAN IDs, and user packets are made visible on the carrier network. QinQ allows a network to have a maximum of 4094 x 4094 VLAN IDs. With QinQ, the carrier only needs to provide one VLAN ID for a user network, which saves VLAN ID resources and ensures secure transmission of user packets.

Figure 1-376 Typical QinQ application

Figure 1-376 shows a typical QinQ application. VLAN stacking is a typical application of QinQ on Layer 2 networks.

The advantages of QinQ are described as follows:

Alleviates the intensifying shortage of public VLAN IDs.
Allows users to plan their private VLAN IDs and prevents conflicts with public VLAN IDs.
Provides a simple and flexible Layer 2 VPN solution for small-scale metro networks and enterprise networks.
Allows user networks to retain their configurations after a carrier updates the carrier network.

Basic QinQ Concept

Ethernet Frame, VLAN Frame, and QinQ Packet

Ethernet frame

As shown in Figure 1-377, the Length/Type field is preceded by the Destination address and Source address fields in a traditional Ethernet frame.

Figure 1-377 Traditional Ethernet frame
VLAN frame

IEEE 802.1Q adds an 802.1Q tag to the Ethernet frame. As shown in Figure 1-378, the 4-byte 802.1Q Tag resides between the Source address and Length/Type fields.

Figure 1-378 802.1Q frame
- Type: The 2-byte Type field indicates the frame type. The value 0x8100 indicates an 802.1Q frame. When a device that does not support 802.1Q frames receives an 802.1Q frame, it discards the frame.
- PRI: The 3-bit Priority field indicates the frame priority. The value of the field ranges from 0 to 7. The greater the value, the higher the frame priority. When a switch is congested, higher priority frames are sent preferentially.
- CFI: The 1-bit Canonical Format Indicator (CFI) field indicates whether the MAC address is in canonical format. Value 0 indicates that the MAC address is in the canonical format, and value 1 indicates that the MAC address is in the non-canonical format, which is compatible with Ethernet and token ring networks. The CFI field value in Ethernet frames is 0.
- VID: The 12-bit VLAN ID (VID) field indicates the VLAN to which the frame belongs. In the NetEngine A800 series, the VLAN ID ranges from 0 to 4095. Since 0 and 4095 are reserved by the QinQ protocol, the valid value of the VLAN ID ranges from 1 to 4094.
  Each 802.1Q-capable switch sends datagrams carrying a VLAN ID. The VLAN ID identifies the VLAN to which the switch belongs. Ethernet frames can be classified into the following types on a VLAN:
  - Tagged frame: Ethernet frame with a 4-byte 802.1Q tag.
  - Untagged frame: original Ethernet frame without a 4-byte 802.1Q tag.
QinQ packet

A QinQ packet has a fixed format. In the packet, another 802.1Q tag is added before an 802.1Q tag. A QinQ packet is 4–byte longer than a common 802.1Q packet.

Figure 1-379 802.1Q encapsulation
QinQ packets carry two VLAN tags when they are transmitted across a carrier network. The meanings of the two tags are described as follows:
- Inner VLAN tag: private VLAN tag that identifies the VLAN to which a user belongs.
- Outer VLAN tag: public VLAN tag that is assigned by a carrier to a user.

QinQ Encapsulation

QinQ encapsulation is to add another 802.1Q tag to a single-tagged packet. QinQ encapsulation is usually performed on UPE interfaces connecting to users.

QinQ encapsulation can be classified into the following types:

Standard QinQ encapsulation

In a standard QinQ encapsulation, or interface-based QinQ, the device adds an outer tag to all packets entering an interface.

After a QinQ-enabled interface receives a packet, the device adds the default VLAN tag to the packet, regardless of whether the packet carries a VLAN tag. The packet is then forwarded in the VLAN to which the interface belongs. Interface-based QinQ is also called QinQ tunneling.

Interface-based QinQ means that all traffic entering an interface is encapsulated with the same outer VLAN tag. Users are distinguished by the physical interface. However, if multiple users with different VLANs are connected to the same interface, the device cannot distinguish these users. Therefore, interface-based QinQ has its limitations.

For carrier networks that need to distinguish users based on user applications and locations, the selective QinQ provides an ideal solution.
Selective QinQ encapsulation

The selective QinQ encapsulation is also called traffic-based QinQ because the device encapsulates packets with outer tags based on the traffic.

After a selective QinQ-enabled interface receives packets, the device classifies the traffic and decides whether to add outer tags to the packets.

A carrier device can classify traffic based private VLAN tags, VLAN tag+802.1p priority, source IP/MAC address, destination IP/MAC address, IP protocols, or application port numbers. The device then adds outer VLAN tags to the traffic for service differentiation.

QinQ/Dot1q VLAN Tag Termination Sub-interface

In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

After an interface receives a packet with one or two VLAN tags, the device removes the VLAN tags and forwards the packet at Layer 3. The outbound interface decides whether to add one or two VLAN tags to the packet.
Before an interface forwards a packet, the device adds the planned VLAN tag to the packet.

The following section describes the termination types, the VLAN tag termination sub-interfaces, and the applications of VLAN tag termination.

Termination type
VLAN packets are classified into dot1q packets, which carry only one VLAN tag, and QinQ packets, which carry two VLAN tags. Accordingly, there are two VLAN tag termination modes:
- Dot1q termination: terminates packets that carry one VLAN tag.
- QinQ termination: terminates packets that carry two VLAN tags.
VLAN tag termination sub-interfaces
Generally, termination is performed on a sub-interface. Therefore, the sub-interface is called a termination sub-interface. VLAN tag termination sub-interfaces are classified into dot1q VLAN tag termination sub-interfaces and QinQ VLAN tag termination sub-interfaces.
- Dot1q VLAN tag termination sub-interface
  
  A sub-interface that terminates packets carrying one VLAN tag.
- QinQ VLAN tag termination sub-interface
  
  A sub-interface that terminates packets carrying two VLAN tags.
  QinQ VLAN tag termination sub-interfaces are classified into the following types:
  - Explicit QinQ VLAN tag termination sub-interface: The pair of VLAN tags specifies two VLANs.
  - Implicit QinQ VLAN tag termination sub-interface: The pair of VLAN tags specifies two ranges of VLANs.
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of untagged packets, and discard them directly.
Applications of VLAN tag termination
- Inter-VLAN communication
  The VLAN technology is widely used because it allows Layer 2 packets of different users to be transmitted separately. With the VLAN technology, a physical LAN is divided into multiple logical broadcast domains (VLANs). Hosts in the same VLAN can communicate with each other at Layer 2, but hosts in different VLANs cannot. The Layer 3 routing technology is required for communication between hosts in different VLANs. The following interfaces can be used to implement inter-VLAN communication:
  - Layer 3 Ethernet interfaces on routers
    
    Conventional Layer 3 Ethernet interfaces do not identify VLAN packets. After receiving VLAN packets, they consider the packets invalid and discard them. To implement inter-VLAN communication, create Ethernet sub-interfaces on a Layer 3 Ethernet interface and configure the sub-interfaces to remove tags from VLAN packets.
- Communication between devices in the LAN and WAN
  
  Most LAN packets carry VLAN tags. Certain wide area network (WAN) protocols, such as Point-to-Point Protocol (PPP), cannot identify VLAN packets. Before forwarding VLAN packets from a LAN to a WAN, a device needs to record the VLAN information carried in the VLAN packets and then remove the VLAN tags.
  
  When the device receives return packets, it adds the locally stored VLAN information to the packets before forwarding them downstream to VLAN users.

The NetEngine A800 series supports only dot1q VLAN tag termination.

Feature Requirements for QinQ

Summary of QinQ Configuration Tasks

This section describes the QinQ features supported by the NetEngine A800 series in terms of the QinQ configuration.

The QinQ configuration is described as follows:

A QinQ-enabled device is capable of virtual local area network (VLAN) stacking, which expands VLAN space and reduces the consumption of VLAN ID resources.If Layer 2 selective QinQ is configured, the device can add different outer VLAN tags to packets and transmit the packets.
QinQ supports the following functions to meet the requirements of special applications and extended functions:
- Configuring QinQ-based VLAN tag swapping: The device can swap the inner tag with the outer tag in a double-tagged packet.
- Configuring VLAN tag termination sub-interfaces for IP service access: Proxy Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP) server/DHCP relay, Virtual Router Redundancy Protocol (VRRP) can be configured on dot1q VLAN tag termination sub-interfaces.
- Configuring VLAN tag termination sub-interfaces for virtual private network (VPN) service access: L2VPN (VPWS/VPLS) and L3VPN services can be configured on QinQ/dot1q VLAN tag termination sub-interfaces.
- Configuring QinQ VLAN tag termination sub-interfaces to support 802.1p mappings: The mappings include the 802.1p-to-DSCP mapping and 802.1p-to-MPLS-EXP mapping.
- Configuring L2VPN access on QinQ stacking sub-interfaces: With this configuration, QinQ stacking sub-interfaces can implement L2VPN (VPWS/VPLS).
QinQ stacking sub-interfaces can be used to solve the problem that one physical interface cannot provide L2VPN access for multiple users.

Access Services Provided by VLAN Tag Termination Sub-Interfaces

Sub-interfaces for QinQ/dot1q VLAN tag termination support IP services (for example, proxy ARP, DHCP, and VRRP), VPN services (for example, L2VPN and L3VPN), 802.1p-to-DSCP mapping, and 802.1p-to-MPLS-EXP mapping. Table 1-158 shows the application scenario of a VLAN tag termination sub-interface providing access services.

Table 1-158 Application scenario of VLAN tag termination sub-interfaces providing access services

Sub-Interface Type	Service Type	Application Scenario
QinQ/Dot1q	Proxy ARP	If users on the same network segment belong to different VLANs, they cannot communicate at Layer 2. To implement communication between VLANs at Layer 3, proxy ARP can be enabled on VLAN tag termination sub-interfaces. For details about proxy ARP, see the chapter "ARP" in the NetEngine A800 series Feature Description - IP Services.
	DHCP DHCP server DHCP relay	To assign IP addresses to users on a VLAN tag termination sub-interface, the DHCP server function needs to be enabled on this sub-interface. If the DHCP client and DHCP server belong to different sub-nets, you need to deploy a DHCP relay agent to forward DHCP request packets from the client to the server so that the client can dynamically obtain IP addresses from the DHCP server. DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation. For details about DHCP, see the chapter "DHCP" in the NetEngine A800 series Feature Description - IP Services.
	VRRP	When a VLAN tag termination sub-interface is used to access a VRRP-enabled, this sub-interface also needs to be enabled with VRRP to ensure reliable and stable communication. For details about VRRP, see the chapter "VRRP" in the NetEngine A800 series Feature Description - Reliability.
	L2VPN Virtual private wire service (VPWS) Virtual private LAN service (VPLS)	When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication. For details about L2VPN, see the chapters "VPWS" and "VPLS" in the NetEngine A800 series Feature Description - VPN.
	L3VPN	When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication. For details about L3VPN, see the chapter "BGP/MPLS IP VPN" in the NetEngine A800 series Feature Description - VPN.
QinQ	802.1p, DiffServ Code Point (DSCP) remark	After a packet is terminated on a PE, the packet is sent to the carrier network. To ensure the completeness of the QoS information in the packet, the 802.1p values in the outer and inner tags need to be mapped to the DSCP remark field.
QinQ	802.1p, EXP (MPLS) remark	After a packet is terminated on a PE, the packet is sent to the carrier MPLS network. To ensure the completeness of the QoS information in the packet, the 802.1p values in the outer and inner tags need to be mapped to the MPLS EXP field.

Figure 1-380 shows how to configure sub-interfaces for QinQ/dot1q VLAN tag termination.

Figure 1-380 Flowchart of configuring sub-interfaces for QinQ/dot1q VLAN tag termination

Differences Between the VLAN Tag Termination Sub-Interface and Dot1q Sub-Interface

Table 1-159 shows the differences between the VLAN tag termination sub-interface and dot1q sub-interface.

Table 1-159 Differences between interfaces

Interface Type	Supported VPN Service				Description	Difference
Interface Type	VPWS (CCC mode)	VPWS	VPLS	L3VPN	Description	Difference
Dot1q sub-interface	Supported	Supported	Supported	Supported	You can run the vlan-type dot1q command to configure an Ethernet sub-interface to be a dot1q sub-interface.	The dot1q sub-interface and dot1q VLAN tag termination sub-interface have the same function. The difference between them is that packets sent from the dot1q sub-interface are encapsulated with only one VLAN tag whereas packets sent from the dot1q VLAN tag termination sub-interface can be encapsulated with multiple VLAN tags. You can configure both dot1q VLAN tag termination sub-interfaces and QinQ VLAN tag termination sub-interfaces on a main interface. With this configuration, the main interface can terminate both single-tagged packets and double-tagged packets. You can configure a dot1q VLAN tag termination sub-interface or a dot1q sub-interface on a main interface to terminate single-tagged packets.
Dot1q VLAN tag termination sub-interface	Supported	Supported	Supported	Supported	You can run the dot1q termination vid command to configure a dot1q VLAN tag termination sub-interface to terminate single-tagged packets. NOTE: VPWS The VLAN tag to be terminated must be a specific value. VPLS The VLAN tag to be terminated can be either a specific value or a value range.
QinQ VLAN tag termination sub-interface	Supported	Supported	Supported	Supported	You can run the qinq termination pe-vid ce-vid command to configure a QinQ VLAN tag termination sub-interface to terminate double-tagged packets. NOTE: VPWS In asymmetrical mode, both VLAN tags to be terminated must be specific values. In symmetrical mode, the outer VLAN tag to be terminated must be a specific value, but the inner VLAN tag to be terminated can be either a specific value or value range. VPLS In asymmetrical mode, both VLAN tags to be terminated can be either specific values or value ranges. In symmetrical mode, the outer VLAN tag to be terminated must be a specific value, but the inner VLAN tag to be terminated can be either a specific value or value range. You can run the qinq termination l2 command to configure the asymmetrical or symmetrical mode.

Table 1-160 and Table 1-161 show how different types of interfaces process VLAN tags carried in packets to be transmitted across a VPLS network.

Table 1-160 Packet processing on an inbound interface

Inbound Interface Type	Packet Processing for VPLS Network Access
Inbound Interface Type	Ethernet-Encapsulated Packets	VLAN-Encapsulated Packets
Dot1q sub-interface	Tags are stripped.	No action is performed.
Dot1q VLAN tag termination sub-interface	Tags are stripped.	No action is performed.
QinQ VLAN tag termination sub-interface	In symmetric mode, the outer tags are stripped. In symmetric mode, both inner and outer tags are stripped.	In symmetric mode, no action is performed. In asymmetric mode, the inner tags are stripped.
QinQ stacking sub-interface	No action is performed.	The outer tag is added.

Table 1-161 Packet processing on an outbound interface

Outbound Interface Type	Packet Processing for VPLS Network Access
Outbound Interface Type	Ethernet-Encapsulated Packets	VLAN-Encapsulated Packets
Dot1q sub-interface	A specific tag is added.	The tag is replaced.
Dot1q VLAN tag termination sub-interface	A specific tag is added.	The tag is replaced.
QinQ VLAN tag termination sub-interface	In symmetric mode, outer tags are added. In asymmetric mode, both inner and outer tags are added.	In symmetric mode, outer tags are replaced. In asymmetric mode, the outer tag is replaced and the inner tag is added.
QinQ stacking sub-interface	No action is performed.	The outer tag is stripped.

Configuring the QinQ Function

A QinQ-enabled device is capable of virtual local area network (VLAN) stacking, which expands VLAN space and reduces the consumption of VLAN ID resources.

Usage Scenario

The major differences between QinQ tunneling and selective QinQ are as follows:

Table 1-162 QinQ tunneling application scenario

QinQ Function	Description	Application Scenario
QinQ tunneling	All data frames that arrive on a QinQ interface are encapsulated with the same outer tag. This encapsulation mode does not distinguish users or services and therefore does not support multi-user and multi-service scenarios.	QinQ tunneling applies where there is no need to distinguish users and services.
Selective QinQ	All data frames that arrive on a QinQ interface can be encapsulated with different VLAN tags that distinguish users or services. This encapsulation mode supports multi-user and multi-service scenarios.	Selective QinQ applies when users and services must be distinguished.

Pre-configuration Tasks

Before configuring the QinQ function, plan user VLANs so that packets from the CE to PE carry one VLAN tag.

Configuring a QinQ Tunnel

After the QinQ tunnel is configured, the interface adds an outer VLAN tag to packets that carry an inner VLAN tag. These packets can then be forwarded on the public network.

Context

Perform the following steps on the device on which the QinQ tunnel is to be configured:

Procedure

Run system-view
The system view is displayed.
Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.

The VLAN ID refers to the value of the outer tag specified in the QinQ tunnel. The VLAN ID ranges from 1 to 4094.
Run quit
Return to the system view.
Run interface interface-type interface-number
The user-side Ethernet interface view is displayed.
(Optional) Run portswitch
The interface is configured as a Layer 2 interface.

Skip this step if the interface is already a Layer 2 interface.
Run port link-type dot1q-tunnel
The interface is configured as a QinQ interface.
Run port default vlan vlan-id
An outer VLAN tag is configured for packets passing through the QinQ Layer 2 interface.

vlan-id must be the same as the VLAN ID created in Step 2.
(Optional) Run qinq protocol ethertype-value
The protocol type of the outer tag is configured.

The value of ethertype-value ranges from 0x0600 to 0xFFFF.

The qinq protocol command takes effect both on double-tagged and single-tagged packets.
Run commit
The configuration is committed.

Configuring Selective QinQ

You can configure selective QinQ on a Layer 2 interface. This configuration allows the interface to add a public virtual local area network (VLAN) tag to a user packet that carries a private VLAN tag so that the user packet can be forwarded over the public network.

Procedure

Run system-view
The system view is displayed.
Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.

The VLAN ID must be the same as the value of the outer VLAN tag specified in the command for configuring selective QinQ.
Run quit
Return to the system view.
Run interface interface-type interface-number
The user-side Ethernet interface view is displayed.
(Optional) Run portswitch
The Layer 3 interface is switched to a Layer 2 interface.

If the interface is a Layer 2 interface, skip this step.
Run port link-type { hybrid | trunk }
The link type of an Ethernet interface is set to hybrid or trunk.
Run port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The interface is configured as a Layer 2 selective QinQ interface.

vlan-id3 must be the same as the vlan-id created in Step 2.
(Optional) Run qinq protocol ethertype-value
The protocol type of the outer tag is configured.

The value of ethertype-value ranges from 0x0600 to 0xFFFF.

The qinq protocol command takes effect both on double-tagged and single-tagged packets.
Run commit
The configuration is committed.

Verifying the QinQ Function Configuration

After configuring QinQ, check the detailed information about the outer virtual local area network (VLAN) and the protocol type of the outer VLAN tag.

Prerequisites

QinQ has been configured.

Procedure

Run the display vlan vlan-id command to check detailed information about the outer VLAN.
Run the display interface interface-type interface-number command to check the protocol type of the outer VLAN tag.

Configuring QinQ-based VLAN Tag Swapping

This section describes how to configure QinQ-based virtual local area network (VLAN) tag swapping. This configuration enables a device to swap the inner tag with the outer tag in a double-tagged packet. QinQ-based VLAN tag swapping applies only on double-tagged packets.

Usage Scenario

On the network shown in Figure 1-381, the user-end provider edge (UPE) is connected to multiple customer edges (CEs), and each packet that the UPE receives from the CEs carries two VLAN tags. The outer tag indicates the user, and the inner tag indicates the service. The UPE, however, can only forward packets whose outer tags indicate services and inner tags indicate users. To address this problem, the UPE needs to swap the inner tag with the outer tag in double-tagged packets.

In this situation, configure QinQ-based VLAN tag swapping on the UPE.

Figure 1-381 Networking for QinQ-based VLAN tag swapping

Pre-configuration Tasks

Before configuring QinQ-based VLAN tag swapping, configure user VLANs so that packets received by an interface or sub-interface carry two VLAN tags.

Procedure

Run system-view
The system view is displayed.
Run interfaceinterface-type interface-number
The view of the Ethernet interface on which QinQ-based VLAN tag swapping is to be configured is displayed.
Run vlan-swap enable
VLAN tag swapping is enabled.

After BA classification based on 802.1p values is configured on a VLAN-swap-capable interface, BA classification is implemented based on the 802.1p values of the swapped outer VLAN tag.
Run commit
The configuration is committed.

Checking the Configurations

After configuring QinQ-based VLAN tag swapping, check the configurations.

Run the display current-configuration command to check whether QinQ-based VLAN tag swapping is configured.

Configuring QinQ Mapping

QinQ mapping allows a device to map a user virtual local area network (VLAN) ID to a carrier VLAN ID, shielding different user VLAN IDs in packets.

Usage Scenario

QinQ mapping is deployed on Layer 2 edge devices to map user VLAN IDs in packets from users. The devices map the VLAN IDs in user packets to specified VLAN IDs before forwarding the packets to the public network. QinQ mapping is applicable (but not limited) to the following scenarios:

VLAN IDs deployed in new sites and old sites conflict, but the new sites need to communicate with the old sites.
VLAN ID planning at each site on the public network is different. As a result, the VLAN IDs conflict. These sites, however, do not need to communicate with each other.
VLAN IDs on both ends of the public network are different.

The NetEngine A800 series supports the following QinQ mapping mode:

1 to 1 QinQ mapping

When a QinQ mapping-enabled sub-interface receives a single-tagged packet, the sub-interface replaces the VLAN ID in the packet with a specified VLAN ID.

After receiving a user-destined Layer 2 multicast packet, a QinQ stacking or QinQ mapping sub-interface that connects to a VPLS network removes the outer tag from the packet, adds the learned inner and outer tags to the packet, and then forwards the packet to a downstream device.

Pre-configuration Tasks

Before configuring QinQ mapping, plan user VLANs so that user packets carry one or two VLAN tags.

Configuring 1 to 1 QinQ Mapping

When a 1 to 1 QinQ mapping-enabled sub-interface receives a single-tagged packet, the sub-interface replaces the virtual local area network (VLAN) ID in the packet with a specified VLAN ID.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a CE-side sub-interface on a PE is displayed.
Run qinq mapping vid vid map-vlan vid map-vid [ vlan-group group-id ]
The sub-interface is configured to map the VLAN ID in a single-tagged packet to a specified VLAN ID.

The original VLAN ID in the single-tagged packet cannot be the same as the outer VLAN ID of packets on any other sub-interfaces.

If the qinq mapping vid command has been run on a sub-interface, any commands related to the QinQ stacking, QinQ termination, or dot1q termination function cannot be configured on the sub-interface.
Run commit
The configuration is committed.

Verifying the QinQ Mapping Configuration

After configuring QinQ mapping functions, verify the configuration.

Prerequisites

QinQ mapping has been configured.

Procedure

Run the display qinq information mapping [ interface interface-type interface-number [.subinterface-number ] ] command to check QinQ mapping information.

Configuring IP Services on a VLAN Tag Termination Sub-Interface

IP services include proxy Address Resolution Protocol (ARP), Virtual Router Redundancy Protocol (VRRP), and Dynamic Host Configuration Protocol (DHCP) services. You can deploy IP services on QinQ/dot1q VLAN tag termination sub-interfaces so that users in different VLANs can communicate. This ensures non-stop and reliable connections between the users and the network.

Usage Scenario

Table 1-163 shows the applications of VLAN tag termination sub-interfaces transmitting IP services.

Table 1-163 Application of VLAN tag termination sub-interfaces transmitting IP services

IP service	Application
Proxy ARP	A range of VLANs can connect to a network segment using VLAN tag termination sub-interfaces. However, if users on the same network segment belong to different VLANs, these users cannot communicate at Layer 2, and rely on IP forwarding at Layer 3 to communicate with each other. You can configure VLAN tag termination sub-interfaces to support proxy ARP so that users from different VLANs can communicate.
DHCP	To assign IP addresses to users on a VLAN tag termination sub-interface, the DHCP server function needs to be enabled on this sub-interface. If the DHCP client and DHCP server belong to different sub-nets, you need to deploy a DHCP relay agent to forward DHCP request packets from the client to the server so that the client can dynamically obtain IP addresses from the DHCP server. DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation.
VRRP	Users may require communication with certain networks at any time. Running VRRP on the VLAN tag termination sub-interfaces ensures reliable communication and provides an active/standby mechanism for dot1q or QinQ users.

Proxy ARP, VRRP and DHCP are different types of IP services. Deploy the desired service on the VLAN tag termination sub-interface.

Pre-configuration Tasks

Before you configure a VLAN tag termination sub-interface to transmit IP services, plan user VLANs so that packets received by the VLAN tag termination sub-interface carry one or two VLAN tags.

Configuring a VLAN Tag Termination Sub-interface

A virtual local area network (VLAN) tag termination sub-interface can be a dot1q VLAN tag termination sub-interface or a QinQ VLAN tag termination sub-interface. In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

Context

Applications of VLAN tag termination

Inter-VLAN communication
The VLAN technology is widely used because it allows Layer 2 packets of different users to be transmitted separately. With the VLAN technology, a physical LAN is divided into multiple logical broadcast domains (VLANs). Hosts in the same VLAN can communicate with each other at Layer 2, but hosts in different VLANs cannot. The Layer 3 routing technology is required for communication between hosts in different VLANs. The following interfaces can be used to implement inter-VLAN communication:
- Layer 3 Ethernet interfaces on routers
  
  Conventional Layer 3 Ethernet interfaces do not identify VLAN packets. After receiving VLAN packets, they consider the packets invalid and discard them. To implement inter-VLAN communication, create Ethernet sub-interfaces on a Layer 3 Ethernet interface and configure the sub-interfaces to remove tags from VLAN packets.
Communication between devices in the LAN and WAN

Most LAN packets carry VLAN tags. Certain wide area network (WAN) protocols, such as Point-to-Point Protocol (PPP), cannot identify VLAN packets. Before forwarding VLAN packets from a LAN to a WAN, a device needs to record the VLAN information carried in the VLAN packets and then remove the VLAN tags.

When the device receives return packets, it adds the locally stored VLAN information to the packets before forwarding them downstream to VLAN users.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The sub-interface is configured as a dot1q VLAN tag termination sub-interface.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Configure the dot1q VLAN tag termination sub-interface using one or more of the following commands based on site requirements:
  - To configure a dot1q VLAN tag termination sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command.
  - To configure a dot1q VLAN tag termination sub-interface and a matching policy for the sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] { 8021p { val8021p1 [ to val8021p2 ] } &<1-8> | dscp { valdscp1 [ to valdscp2 ] } &<1-10> | default } [ vlan-group group-id ] command.
  - After the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command is run in the Ethernet sub-interface view, the specified VLAN range belongs to the sub-interface, and any VLAN ID in the VLAN range cannot be configured together with the 802.1p value/DSCP value/EthType on other sub-interfaces.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.

The recent version of the NetEngine A800 series only supports a VLAN group works in single mode on the QinQ VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid qinq-termination [ local-switch | rt-protocol ] or encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The sub-interface is configured as a QinQ VLAN tag termination sub-interface.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
5. Run encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The sub-interface is configured as a QinQ VLAN tag termination sub-interface.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
6. Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ] [ vlan-group group-id ]
  
  The sub-interface is configured as a QinQ VLAN tag termination sub-interface.
  
  If rt-protocol is specified, the QinQ VLAN tag termination sub-interface terminates double-tagged packets whose inner and outer tags contain only single VLAN IDs (not VLAN ranges).
7. Run commit
  
  The configuration is committed.

Configuring IP Services

After a VLAN tag termination sub-interface is configured, you need to configure IP services so that users can access IP services using the VLAN tag termination sub-interface.

Context

Sub-interfaces for VLAN tag termination cannot forward broadcast packets. They automatically discard broadcast packets they receive. To allow VLAN tag termination sub-interfaces to forward broadcast packets, run the arp broadcast enable command on the sub-interfaces to enable the ARP broadcast function.

When an IP packet is sent on a VLAN tag termination sub-interface without a corresponding ARP entry, the following may occur:

If the access device supports automatic forwarding of ARP packets, the packets are forwarded even if the ARP broadcast function is disabled on the VLAN tag termination sub-interface.
If the access device does not support automatic forwarding of ARP packets:
- The system discards the IP packet if the arp broadcast enable command is not configured on the VLAN tag termination sub-interface. In this case, the route with the VLAN tag termination sub-interface as the outbound interface is considered a black hole route.
- If the arp broadcast enable command is configured on the VLAN tag termination sub-interface, the system originates a tagged ARP broadcast packet and forwards it through the VLAN tag termination sub-interface.

When you enable or disable the ARP broadcast function on a VLAN tag termination sub-interface, the routing status of the sub-interface goes Down and then Up. This may result in route flapping on the entire network.

Configure proxy ARP

Configure proxy ARP on the device. For detailed configuration, see the chapter "ARP Configuration" in the HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - IP Services.
Configure DHCP

Configure DHCP on the device. For detailed configuration, see the chapter "DHCP Configuration" in the HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - IP Services.

On a large network, if terminals need to be connected to a server through another device instead of being directly connected to this server through Ethernet interfaces, configure DHCP based on a global address pool on the server, so that the terminals can dynamically obtain IP addresses from the server.

DHCP relay can be configured on the VLAN tag termination sub-interface to insert tag information into Option82. The tag information provides a reference for the DHCP server in IP address allocation.
Configure VRRP

Configure VRRP on the device. For detailed configuration, see "VRRP Configuration" in the HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - Reliability.

When a VRRP group is configured on a VLAN tag termination sub-interface, the sub-interface needs to encapsulate inner and outer VLAN tags into VRRP packets. After you enable VRRP on a VLAN tag termination sub-interface, the sub-interface encapsulates and decapsulates the VLAN tags of VRRP packets to ensure that packets can be transmitted in VLANs.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of the VLAN tag termination sub-interface is displayed.

Configure a VLAN tag termination sub-interface to transmit IP services, as shown in Table 1-164.

Table 1-164 VLAN tag termination sub-interfaces transmitting IP services

Service Type	VLAN Tag Termination Sub-interface	Description
Proxy ARP	Run arp-proxy enable Proxy ARP is enabled on the sub-interface.	-
DHCP relay	Run ip address ip-address { mask \| mask-length } An IP address is configured for the interface. Run ip relay address ip-address The IP address of the DHCP server is associated with a DHCP option. Run dhcp select relay DHCP relay is enabled.	-

Service Type

VLAN Tag Termination Sub-interface

Description

Proxy ARP

Run arp-proxy enable

Proxy ARP is enabled on the sub-interface.

DHCP relay

Run ip address ip-address { mask | mask-length }
An IP address is configured for the interface.
Run ip relay address ip-address
The IP address of the DHCP server is associated with a DHCP option.
Run dhcp select relay
DHCP relay is enabled.

(Optional) Run arp broadcast enable
ARP broadcast is enabled on the VLAN tag termination sub-interface.
Run commit
The configuration is committed.

Verifying the Configuration

After configuring IP services on the VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The IP service access configurations on the VLAN tag termination sub-interface have been complete.

Procedure

Run the display dot1q information termination [ interface{interface-name |interface-type interface-number } ] command to check information about the dot1q VLAN tag termination sub-interface.
Run the display qinq information termination [ interface {interface-name |interface-type interface-number }] command to check information about the QinQ VLAN tag termination sub-interface.
Run the display dhcp relay address all command to check the DHCP configuration on the interface that has DHCP relay enabled.

Configuring a VLAN Tag Termination Sub-interface to Transmit the VPN Service

Virtual private network (VPN) services are classified into L2VPN services and L3VPN services. You can configure VLAN tag termination sub-interfaces on the PEs for VPN access to enable the interworking between the CEs.

Usage Scenario

Table 1-165 shows a typical application scenario in which VLAN tag termination sub-interfaces transmit VPN services.

Table 1-165 VLAN tag termination sub-interfaces transmitting VPN services

VPN Service	Application
L2VPN	When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication.
L3VPN	When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

Pre-configuration Tasks

Before you configure a VLAN tag termination sub-interface to transmit IP services, plan user VLANs so that packets received by the VLAN tag termination sub-interface carry one or two VLAN tags.

Configuring a VLAN Tag Termination Sub-interface

Context

An increasing number of QinQ encapsulation and termination modes have been developed to distinguish users or services and reduce the use of virtual local area network (VLAN) IDs. These QinQ encapsulation and termination modes enable carriers to implement refined operation.

Users may communicate over various types of Layer 2 virtual private networks (L2VPNs), such as a virtual private wire service (VPWS) or virtual private LAN service (VPLS). To achieve more flexibility in managing packets for these users, you can configure QinQ VLAN tag termination sub-interfaces on edge devices on the L2VPN and configure the attributes of the sub-interfaces to provide L2VPN access.

QinQ VLAN tag termination sub-interfaces can access VPWS or VPLS in symmetrical or asymmetrical mode. User packets are sent to the L2VPN in different modes after being processed by the PE, as described in Table 1-166 and Table 1-167.

Table 1-166 Packet processing on an inbound interface

Inbound Interface Type	VPWS/VPLS
Inbound Interface Type	Ethernet Encapsulation	VLAN Encapsulation
Symmetry mode	Removes the outer tag.	Keeps both inner and outer tags unchanged.
Asymmetrical mode	Removes both inner and outer tags.	Removes the inner tag.

Table 1-167 Packet processing on an outbound interface

Outbound Interface Type	VPWS/VPLS
Outbound Interface Type	Ethernet Encapsulation	VLAN Encapsulation
Symmetry mode	Adds an outer tag.	Replaces the outer tag.
Asymmetrical mode	Adds two tags.	Replaces the outer tag and adds the inner tag.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The sub-interface is configured as a dot1q VLAN tag termination sub-interface.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Configure the dot1q VLAN tag termination sub-interface using one or more of the following commands based on site requirements:
  - To configure a dot1q VLAN tag termination sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command.
  - To configure a dot1q VLAN tag termination sub-interface and a matching policy for the sub-interface, run the dot1q termination vid low-pe-vid [ to high-pe-vid ] { 8021p { val8021p1 [ to val8021p2 ] } &<1-8> | dscp { valdscp1 [ to valdscp2 ] } &<1-10> | default } [ vlan-group group-id ] command.
  - After the dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ] command is run in the Ethernet sub-interface view, the specified VLAN range belongs to the sub-interface, and any VLAN ID in the VLAN range cannot be configured together with the 802.1p value/DSCP value/EthType on other sub-interfaces.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.

In the current version, QinQ VLAN tag termination sub-interfaces on the NetEngine A800 series support only VLAN groups in single mode.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid qinq-termination [ local-switch | rt-protocol ] or encapsulation qinq-termination [ local-switch | rt-protocol ]
  
  The sub-interface is configured as a QinQ VLAN tag termination sub-interface.
  - Specify local-switch so that the QinQ VLAN tag termination sub-interface supports local switching.
  - Specify rt-protocol so that the QinQ VLAN tag termination sub-interface supports routing protocols.
5. Run commit
  
  The configuration is committed.

(Optional) Configuring a PW-tag Action

This section describes how to configure a PW-tag action so that a PE changes the P-Tag of packets to be forwarded over a PW in tagged mode to ensure normal communication with non-Huawei devices on an L2VPN network.

Context

On the network shown in Figure 1-382, CE1 and CE2 are connected to the L2VPN network through PE sub-interfaces, PE1 and CE1 are Huawei devices, and PE2 and CE2 are non-Huawei devices.

When a PE transmits multiple services over one PW, the PE adds different P-Tags to packets of different services to isolate the packets on the L2VPN network. When the packets reach the sub-interfaces of another PE on the other end of the PW, each sub-interface accepts only those packets carrying the same P-Tag as that specified on the sub-interface.

However, because the P-Tags on PE1 and PE2 may be different, PE1 cannot communicate with PE2, and users from user networks connected to CE1 and CE2 cannot communicate with each other.

Figure 1-382 Networking for accessing an L2VPN through sub-interfaces

To address the problem, configure a PW-tag action on the user-side sub-interface of PE1. The PE1 sub-interface changes the P-Tag of packets to that on PE2 before forwarding the packets over the PW. This allows PE1 to communicate with PE2.

Table 1-168 provides the default P-Tag values and the P-Tag values after the PW-tag action.

Table 1-168 P-Tag values

Sub-Interface Type	Default P-Tag Value	P-Tag Value After the PW-Tag Action
Dot1q sub-interface	VLAN ID in a packet	New VLAN ID
Dot1q VLAN tag termination sub-interface	VLAN ID in a packet
QinQ VLAN tag termination sub-interface	Outer VLAN ID in a packet
QinQ stacking sub-interface	Minimum VLAN ID in the VLAN ID range specified on the sub-interface
QinQ mapping sub-interface	Fixed VLAN ID in the system

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a user-side sub-interface on a PE is displayed.
Run pw-tag { vlan-id | inner-vlan | outer-vlan } [ 8021p { 8021p-value | inner-vlan | outer-vlan } ]
A PW-tag action is configured so that the sub-interface changes the P-Tag of packets before forwarding the packets over the PW in tagged mode.
Run commit
The configuration is committed.

Configuring VPN Services

After you configure the VLAN tag termination sub-interface, you need to configure VPN services so as to enable users to communicate with each other over an L3VPN.

Context

When an IP packet is sent on a VLAN tag termination sub-interface without a corresponding ARP entry, the following may occur:

If the access device supports automatic forwarding of ARP packets, the packets are forwarded even if the ARP broadcast function is disabled on the VLAN tag termination sub-interface.
If the access device does not support automatic forwarding of ARP packets:
- The system discards the IP packet if the arp broadcast enable command is not configured on the VLAN tag termination sub-interface. In this case, the route with the VLAN tag termination sub-interface as the outbound interface is considered a black hole route.
- If the arp broadcast enable command is configured on the VLAN tag termination sub-interface, the system originates a tagged ARP broadcast packet and forwards it through the VLAN tag termination sub-interface.

Configure L2VPN.

For configuration details, see "VPWS Configuration" and "VPLS Configuration" in HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - VPN.
Configure L3VPN.

For configuration details, see "BGP MPLS IP VPN Configuration" in HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - VPN.

Perform the following steps on the device that supports VPN services:

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of the VLAN tag termination sub-interface is displayed.

Configure a VLAN tag termination sub-interface to transmit VPN services, as shown in Table 1-169.

Table 1-169 VLAN tag termination sub-interfaces transmitting VPN services

Service Type	VLAN Tag Termination Sub-interface	Description
VPWS	Run the mpls l2vcmpls l2vc { ip-address \| pw-template templateName }^* pwId [ [ control-word [seq-number] \| no-control-word ] \| [ raw \| tagged \| ip-interworking \| ip-layer2 ] \| tunnel-policy policy-name [ { endpoint endpoint-address \| [ endpoint endpoint4-address ] } color color-value ] \| access-port \| [ secondary \| bypass ]\| ignore-standby-state ]^* command to create a VPWS connection.	ip-interworking must be configured when Huawei devices interwork with each other over heterogeneous media. ip-layer2 must be configured when Huawei devices interwork with non-Huawei devices over heterogeneous media.
L3VPN	Run the ip binding vpn-instance vpn-instance-name command to bind the VLAN tag termination sub-interface to a VPN instance.	-

(Optional) Run arp broadcast enable
The ARP broadcast function is enabled on the VLAN tag termination sub-interface.

This step takes effect only on QinQ VLAN tag termination sub-interfaces that provide L3VPN access.
Run commit
The configuration is committed.

Verifying the Configuration

After you configure VPN services on the VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The configurations of the VLAN tag termination sub-interface to transmit VPN services are complete.

Procedure

Run the display dot1q information termination [ interface{interface-name |interface-type interface-number } ] command to check information about the dot1q VLAN tag termination sub-interface.
View the configuration of the L2VPN in CCC mode.
- Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information about the CCC connection.
- Run the display l2vpn ccc-interface vc-type ccc [ up | down ] command to check information about the interface in the Up or Down state.
Check the configuration of the L2VPN in LDP mode.
- Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command to check the local LDP VLL connection information on the PE.
- Run the display mpls l2vc remote-info [ vc-id ] command to check the remote LDP VLL connection information on the PE.
Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check VPN instance information.
Run the display bgp [ vpnv4 vpn-instance vpn-instance-name ] peer command to check information about BGP peers.

Configuring Multicast Services on a VLAN Tag Termination Sub-interface

With the wide use of multicast services on the Internet, you need to deploy sub-interfaces for QinQ/dot1q VLAN tag termination to process the user packets carrying a single tag or double tags for multicast services. In this manner, the UPE can maintain information about the outbound interface of multicast packets according to the established multicast forwarding table to ensure the normal communications between hosts and the multicast source.

Usage Scenario

On the network shown in Figure 1-383, Layer 2 multicast and Layer 3 multicast services are deployed.

Layer 2 multicast

After being bound to a Virtual Switching Instance (VSI) and enabled with Internet Group Management Protocol (IGMP) snooping, the sub-interface for QinQ/dot1q VLAN tag termination can listen IGMP messages exchanged between the multicast device and hosts, and therefore can learn which interfaces have multicast receivers. In this case, multicast packets are transmitted on the Layer 2 network in multicast mode rather than broadcast mode, and consequently received only by members of the multicast group.
Layer 3 multicast

When multicast protocol packets with double tags are sent to the upper-layer network through the UPE, you need to configure a sub-interface for QinQ VLAN tag termination or sub-interface for dot1q VLAN tag termination on the UPE to support IGMP. In this way, a multicast group member forwarding table and a routing table can be created on the UPE. When multicast protocol packets sent from the user side pass through the UPE, the UPE can identify the packets and send them to the corresponding multicast source based on the service tag. Based on the established multicast forwarding table, the UPE can replicate and deliver multicast packets correctly.

Here, Layer 3 multicast mainly refers to IGMP.

Figure 1-383 Networking diagram of the multicast service on termination sub-interfaces

Pre-configuration Tasks

Before configuring the sub-interface for VLAN tag termination to access the multicast service, complete the following tasks:

Ensuring that devices are correctly connected and that the physical interfaces of each device are in the Up state.
Configuring the correct VLANs of users to enable the packets received by the sub-interface for VLAN tag termination to carry one or double tags.

Configuring a VLAN Tag Termination Sub-interface

A VLAN tag termination sub-interface can be a dot1q VLAN tag termination sub-interface or a QinQ VLAN tag termination sub-interface. In dot1q/QinQ termination, a device identifies whether a packet has one tag or two tags. The device then forwards the packet after stripping one or both tags or discards the packet.

Procedure

Configure a dot1q VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run control-vid vid dot1q-termination [ rt-protocol ] or encapsulation dot1q-termination [ rt-protocol ]
  
  The sub-interface is configured as a dot1q VLAN tag termination sub-interface.
  
  Specify rt-protocol so that the dot1q VLAN tag termination sub-interface supports routing protocols.
5. Run dot1q termination vid low-pe-vid [ to high-pe-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the dot1q VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the dot1q VLAN tag termination sub-interface terminates packets carrying a fixed-value VLAN tag.
6. Run commit
  
  The configuration is committed.
Configure a QinQ VLAN tag termination sub-interface.
1. Run system-view
  
  The system view is displayed.
2. Run interface interface-type interface-number.subinterface-number
  
  The view of the PE's Ethernet sub-interface connecting to the user side is displayed.
3. (Optional) Create a user VLAN group.
  1. Run vlan-group group-id
    
    A user VLAN group is created.
  2. Run group mode { single | multiple }
    
    The working mode of the VLAN group is configured.
    - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
    - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
  3. Run quit
    
    Return to the view of the PE's Ethernet sub-interface connecting to the user side.
  Configuring a VLAN group allows you to achieve the following purposes:
  - Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
  - View statistics about QinQ packets to check whether a device is functioning properly.
4. Run qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid ce-vid [ to high-ce-vid ] [ vlan-group group-id ]
  
  The VLAN tag termination function is configured for the QinQ VLAN tag termination sub-interface.
  
  After you specify rt-protocol, the QinQ VLAN tag termination sub-interface terminates packets carrying two fixed-value VLAN tags.
5. Run commit
  
  The configuration is committed.

Configuring Multicast Services

After a dot1q or QinQ VLAN tag termination sub-interface is configured, configure multicast services for the sub-interface so user hosts of this sub-interface can communicate with multicast sources.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The dot1q or QinQ VLAN tag termination sub-interface view is displayed.

Perform the actions described in Table 1-170 to configure the multicast service for the dot1q or QinQ VLAN tag termination sub-interface.

Table 1-170 Configuring the multicast service for a dot1q or QinQ VLAN tag termination sub-interface

Service Type	Action	Remarks
Layer 3 multicast	Run the igmp static-group StaticGrp [ inc-step-mask { IncStepGrpMask \| IncStepGrpMaskLen } number TotalNum ] [ source SourceAddr ] { qinq pe-vid peVidValue ce-vid lowCeValue [ to highCeValue ] \| dot1qvid lowVidValue [ to highVidValue ]} command to statically add a QinQ or dot1q VLAN tag termination sub-interface to multicast groups in batches or a single multicast group.	The static group with tag parameters can be configured only on the QinQ VLAN tag termination sub-interface or the dot1q VLAN tag termination sub-interface.

Run commit
The configuration is committed.

Verifying the Multicast Service Configuration on the VLAN Tag Termination Sub-interface

After configuring multicast services on a dot1q or QinQ VLAN tag termination sub-interface, verify the configuration.

Prerequisites

The multicast services have been configured for a dot1q or QinQ VLAN tag termination sub-interface.

Procedure

Run the display dot1q information termination [ interface {interface-name |interface-type interface-number } ] command to check information about the dot1q VLAN tag termination sub-interface.
Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] interface [ interface-type interface-number ] [ verbose ] command to check IGMP configurations on an interface.
Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] group [ group-address | interface interface-type interface-number ] [ verbose ] command to check information about IGMP multicast groups.

Configuring an L2VPN Service on a QinQ Stacking Sub-interface

To enable a physical interface to provide multiple users with access to an L2VPN, configure a QinQ stacking sub-interface and bind it to a VSI or L2VC.

Usage Scenario

In early stages, QinQ was primarily deployed on CEs on Layer 2 networks. VLAN tags are added to packets using VLAN stacking and services are forwarded on Layer 2 networks based on the outer VLAN tags. QinQ stacking sub-interfaces are configured on PEs to identify user VLANs and add outer VLAN tags to Layer 2 frames.

This implementation, however, faces a problem that one physical interface cannot provide L2VPN access to multiple users. To address this problem, you can configure a QinQ stacking sub-interface and bind it to a VSI or L2VC to provide L2VPN access to multiple users.

QinQ stacking sub-interfaces cannot forward packets at Layer 2 and must be deployed with the L2VPN.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

Pre-configuration Tasks

Before you configure the QinQ stacking sub-interface provide L2VPN access, plan user VLANs properly so that packets received by QinQ stacking sub-interfaces carry one VLAN tag.

Configuring a QinQ Stacking Sub-interface

This section describes how to configure a QinQ stacking sub-interface on a provider edge (PE) to provide Layer 2 virtual private network (L2VPN) access so that the inner virtual local area network (VLAN) tags of user packets are transparently transmitted over an ISP network.

Context

After you enable QinQ stacking on an Ethernet sub-interface:

When the QinQ stacking sub-interface receives a packet, the sub-interface checks whether the VLAN ID or VLAN range in the VLAN tag of the packet matches the VLAN ID or VLAN range specified using the qinq stacking vid command. If they are consistent, the sub-interface adds an outer VLAN tag to the packet.
- If the packet carries one VLAN tag and the VLAN ID in the tag is in the VLAN range specified by low-ce-vid [ to high-ce-vid ] in the qinq stacking vid command, the sub-interface adds an outer VLAN tag to the packet. If the VLAN ID in the VLAN tag is not in the specified VLAN range, the sub-interface discards the packet.
- If the packet carries two VLAN tags and the VLAN ID in the outer tag is in the VLAN range specified by low-ce-vid [ to high-ce-vid ] in the qinq stacking vid command, the sub-interface adds another outer VLAN tag to the packet and forwards the packet. In this case, the inner VLAN tag is transmitted transparently. If the VLAN ID in the outer tag is not in the specified VLAN range, the sub-interface discards the packet.
- If the packet does not carry any VLAN tag, the sub-interface directly discards the packet.
When the QinQ stacking sub-interface sends a packet, the sub-interface strips the outer VLAN tag of the packet.

After you run the qinq stacking vid command on an Ethernet sub-interface:

If you do not run the qinq stacking pe-vid pe-vid command to specify an outer VLAN tag to be added to packets, the Ethernet sub-interface will add a default outer VLAN tag to received packets.

The default outer VLAN tag is assigned by the device and cannot be modified.
If you run the qinq stacking pe-vid pe-vid command to specify an outer VLAN tag to be added to packets, the Ethernet sub-interface will add the specified outer VLAN tag to received packets.

Before you run the qinq stacking pe-vid pe-vid command on an Ethernet sub-interface, you must run the qinq stacking vid command on the sub-interface. Otherwise, the QinQ stacking function does not take effect.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of an Ethernet sub-interface on the user side of a PE is displayed.
(Optional) Create a user VLAN group.
1. Run vlan-group group-id
  
  A user VLAN group is created.
2. Run group mode { single | multiple }
  
  The working mode of the VLAN group is configured.
  - single: A VLAN group is considered as a user. This means that you cannot collect statistics about QinQ packets or deploy quality of service (QoS) policies based on a VLAN or a VLAN range.
  - multiple: VLANs and VLAN ranges in a VLAN group are considered as different users. This means that you can collect statistics about QinQ packets or deploy QoS policies based on a VLAN or VLAN range to implement refined management.
3. Run quit
  
  Return to the view of the PE's Ethernet sub-interface connecting to the user side.
Configuring a VLAN group allows you to achieve the following purposes:
- Deploy QoS policies based on services or users so that higher priority service traffic is preferentially forwarded, improving user experience.
- View statistics about QinQ packets to check whether a device is functioning properly.
Run commands to configure a QinQ stacking sub-interface as required.
- To configure a QinQ stacking sub-interface, run the qinq stacking vid low-ce-vid [ to high-ce-vid ] [ vlan-group group-id ] command.
- If you have run the vlan-group command to configure a VLAN group on the sub-interface, specify vlan-group in the preceding commands.
- If you have not run the vlan-group command to configure a VLAN group on the sub-interface, do not specify vlan-group in the preceding commands.
- If you configure QinQ stacking on different Ethernet sub-interfaces of the same main interface, the ce-vid ranges cannot overlap between these sub-interfaces.
(Optional) Run qinq stacking pe-vid pe-vid
The QinQ stacking sub-interface is enabled to add a specified outer VLAN tag to received packets.

If you skip this step, the QinQ stacking sub-interface will add a system-assigned outer VLAN tag to received packets.
Run commit
The configuration is committed.

(Optional) Configuring a PW-tag Action

Context

On the network shown in Figure 1-384, CE1 and CE2 are connected to the L2VPN network through PE sub-interfaces, PE1 and CE1 are Huawei devices, and PE2 and CE2 are non-Huawei devices.

However, because the P-Tags on PE1 and PE2 may be different, PE1 cannot communicate with PE2, and users from user networks connected to CE1 and CE2 cannot communicate with each other.

Figure 1-384 Networking for accessing an L2VPN through sub-interfaces

Table 1-171 provides the default P-Tag values and the P-Tag values after the PW-tag action.

Table 1-171 P-Tag values

Sub-Interface Type	Default P-Tag Value	P-Tag Value After the PW-Tag Action
Dot1q sub-interface	VLAN ID in a packet	New VLAN ID
Dot1q VLAN tag termination sub-interface	VLAN ID in a packet
QinQ VLAN tag termination sub-interface	Outer VLAN ID in a packet
QinQ stacking sub-interface	Minimum VLAN ID in the VLAN ID range specified on the sub-interface
QinQ mapping sub-interface	Fixed VLAN ID in the system

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number.subinterface-number
The view of a user-side sub-interface on a PE is displayed.
Run pw-tag { vlan-id | inner-vlan | outer-vlan } [ 8021p { 8021p-value | inner-vlan | outer-vlan } ]
A PW-tag action is configured so that the sub-interface changes the P-Tag of packets before forwarding the packets over the PW in tagged mode.
Run commit
The configuration is committed.

Configuring an L2VPN Service

Layer 2 virtual private network (L2VPN) services include virtual private wire service (VPWS) and virtual private LAN service (VPLS). After you configure QinQ stacking sub-interfaces, bind these sub-interfaces to a virtual switching instance (VSI) or VPWS instance to provide L2VPN access for users.

Context

For configuration details, see "VPWS Configuration" and "VPLS Configuration" in HUAWEI NetEngine A821 E, A821, A811 M, A811, A810 series Configuration Guide - VPN.

If you use QinQ stacking sub-interfaces to provide VPWS access, the number of VLANs on both ends of the VPWS must be the same.

Perform the following steps on the device on which an L2VPN is to be configured.

Procedure

Run system-view
The system view is displayed.
Run interfaceinterface-type interface-number.subinterface-number
The view of the QinQ stacking sub-interface is displayed.

Configure a QinQ stacking sub-interface to provide L2VPN access, as shown in Table 1-172.

Table 1-172 QinQ stacking sub-interfaces providing L2VPN access

Service Type	QinQ Stacking Sub-interface Configuration	Description
VPWS	Run the mpls l2vc { ip-address \| pw-template pw-template-name } ^* vc-id [ tunnel-policy policy-name [ { endpoint endpoint-address \| [ endpoint endpoint4-address ] } color color-value ] \| [ control-word \| no-control-word ] \| [ raw \| tagged \| ip-interworking \| ip-layer2 ] \| access-port \| [secondary \| bypass] ignore-standby-state ] ^* command to create a VPWS PW.	ip-interworking must be configured when Huawei devices interwork with each other over heterogeneous media. ip-layer2 must be configured when Huawei devices interwork with non-Huawei devices over heterogeneous media.

Run commit
The configuration is committed.

Verifying the L2VPN Service Configuration on the QinQ Stacking Sub-interface

After you configure an L2VPN service on a QinQ stacking sub-interface, verify the configuration

Prerequisites

The configurations of the sub-interface for QinQ stacking to provide L2VPN access are complete.

Procedure

Run the display qinq information stacking [ interface interface-type interface-number [ .subinterface-number ] ] command to check QinQ stacking information.
View the configuration of the L2VPN in CCC mode.
- Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information about the CCC connection.
- Run the display l2vpn ccc-interface vc-type ccc [ up | down ] command to check information about the interface in the Up or Down state.
Check the configuration of the L2VPN in LDP mode.
- Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command to check the local LDP VLL connection information on the PE.
- Run the display mpls l2vc remote-info [ vc-id ] command to check the remote LDP VLL connection information on the PE.

Maintaining QinQ

This section describes how to clear statistics about QinQ packets and monitor the QinQ operating status.

Clearing QinQ Statistics

Clear existing QinQ packet statistics before you are able to collect statistics about QinQ packets for a specific period of time.

Context

Statistics about QinQ packets cannot be restored after they are cleared. Exercise caution before you decide to clear the statistics.

To clear QinQ packet statistics, run the following command in the user view:

Procedure

Run the reset qinq statistics interface interface-type interface-number.subinterface-number vlan-group group-id command to clear statistics about QinQ packets on the specified interface.

Monitoring the QinQ Operating Status

This section describes how to monitor the QinQ operating status.

Context

In routine maintenance, you can run the commands in any view to view the QinQ operating status.

Procedure

Run the display qinq statistics [ interface { interface-type interface-number | interface-name } [ vlan-group group-id ]] [ verbose ] command to check QinQ packet statistics.
The statistic enable command must be run in the VLAN group view to enable the function of collecting QinQ packet statistics based on VLAN groups before you run the display qinq statistics command to view the number of QinQ packets sent or received by the sub-interface. These statistics help you deploy QoS policies or locate problems. If the function of collecting QinQ packet statistics is disabled, you cannot view the statistics on the sub-interface.
Run the display vlan-group [ group-id ] interface { interface-name | interface-type interface-number } command to check the number of VLAN groups on a specified interface and the configuration of each VLAN group.

Configuration Examples for QinQ

This section describes the QinQ application details, including networking requirements, configuration roadmap, and data preparation, and provides related configuration files.

Example for Configuring a QinQ Tunnel

After Layer 2 QinQ tunneling is configured, an enterprise can plan its own VLANs. Branch offices of the same enterprise in different locations can communicate with each other through the VLANs. Offices of different enterprises cannot communicate.

Networking Requirements

On the network shown in Figure 1-385, company 1 has three offices and company 2 has two offices. Offices of company 1 and company 2 are connected to PE1 and PE2 on the carrier network. Company 1 and company 2 can plan their own VLANs as required.

You can configure Layer 2 QinQ tunneling on PE1 and PE2 so that offices of the same company can interwork but offices of different companies cannot interwork.

Figure 1-385 Typical networking of Layer 2 QinQ tunneling

Interfaces 1 through 4 in this example are GE 0/2/1, GE 0/2/9, GE 0/2/17, and GE 0/2/4, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure outer VLAN tags for QinQ packets.
Configure Layer 2 QinQ tunneling so that packets exchanged between VLAN users become double-tagged QinQ packets after passing through the QinQ tunnel.
Configure interfaces on which Layer 2 QinQ tunneling is not configured. These interfaces allow packets carrying the specified outer VLAN tags to pass through so that users of the same company from different VLANs can communicate.

Data Preparation

To complete the configuration, you need the following data:

Number of the access interfaces of company 1 and company 2
Outer VLAN IDs of the QinQ interfaces for company 1 and company 2 access

Procedure

Create outer VLAN tags for Layer 2 QinQ tunneling.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] vlan batch 10 20

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] vlan batch 10 20

Configure Layer 2 QinQ tunneling.

# Configure PE1.

[*PE1] interface gigabitethernet 0/2/1

[*PE1-GigabitEthernet0/2/1] portswitch

[*PE1-GigabitEthernet0/2/1] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/2/1] port default vlan 10

[*PE1-GigabitEthernet0/2/1] undo shutdown

[*PE1-GigabitEthernet0/2/1] quit

[*PE1] interface gigabitethernet 0/2/9

[*PE1-GigabitEthernet0/2/9] portswitch

[*PE1-GigabitEthernet0/2/9] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/2/9] port default vlan 20

[*PE1-GigabitEthernet0/2/9] undo shutdown

[*PE1-GigabitEthernet0/2/9] quit

[*PE1] interface gigabitethernet 0/2/17

[*PE1-GigabitEthernet0/2/17] portswitch

[*PE1-GigabitEthernet0/2/17] port link-type dot1q-tunnel

[*PE1-GigabitEthernet0/2/17] port default vlan 10

[*PE1-GigabitEthernet0/2/17] undo shutdown

[*PE1-GigabitEthernet0/2/17] quit

[*PE1] commit

# Configure PE2.

[*PE2] interface gigabitethernet 0/2/1

[*PE2-GigabitEthernet0/2/1] portswitch

[*PE2-GigabitEthernet0/2/1] port link-type dot1q-tunnel

[*PE2-GigabitEthernet0/2/1] port default vlan 20

[*PE2-GigabitEthernet0/2/1] undo shutdown

[*PE2-GigabitEthernet0/2/1] quit

[*PE2] interface gigabitethernet 0/2/9

[*PE2-GigabitEthernet0/2/9] portswitch

[*PE2-GigabitEthernet0/2/9] port link-type dot1q-tunnel

[*PE2-GigabitEthernet0/2/9] port default vlan 10

[*PE2-GigabitEthernet0/2/9] undo shutdown

[*PE2-GigabitEthernet0/2/9] quit

[*PE2] commit

Configure other interfaces.

# Configure GE0/2/4 on PE1 to allow packets from VLAN 10 and VLAN 20 to pass through.

[~PE1] interface gigabitethernet 0/2/4

[*PE1-GigabitEthernet0/2/4] portswitch

[*PE1-GigabitEthernet0/2/4] port link-type trunk

[*PE1-GigabitEthernet0/2/4] port trunk allow-pass vlan 10 20

[*PE1-GigabitEthernet0/2/4] undo shutdown

[*PE1-GigabitEthernet0/2/4] quit

[*PE1] commit

# Configure GE0/2/17 on PE2 to allow packets from VLAN 10 and VLAN 20 to pass through.

[~PE2] interface gigabitethernet 0/2/17

[*PE2-GigabitEthernet0/2/17] portswitch

[*PE2-GigabitEthernet0/2/17] port link-type trunk

[*PE2-GigabitEthernet0/2/17] port trunk allow-pass vlan 10 20

[*PE2-GigabitEthernet0/2/17] undo shutdown

[*PE2-GigabitEthernet0/2/17] quit

[*PE2] commit

Verify the configuration.
Hosts of company 1 in different offices but the same VLAN can ping each other.

Hosts of company 2 in different offices but the same VLAN can ping each other.

Hosts of company 1 cannot ping hosts of company 2.

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/2/9
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 20
#
interface GigabitEthernet0/2/17
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/2/4
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

PE2 configuration file

#
 sysname PE2
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 20
#
interface GigabitEthernet0/2/9
 undo shutdown
 portswitch
 port link-type dot1q-tunnel
 port default vlan 10
#
interface GigabitEthernet0/2/17
 undo shutdown
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Example for Configuring the Compatibility of the EtherType Field in the Outer Tag of QinQ Packets

This example shows how to configure the EtherType of an outer tag to enable the interworking between Huawei devices and non-Huawei devices.

Networking Requirements

PE2 is a Huawei device. PE1 and CE1 are non-Huawei devices. CE2 is a non-Huawei switch. Figure 1-386 shows the networking and the EtherType value in the outer tag of QinQ packets. In this situation, you can enable Huawei devices and non-Huawei devices to interwork with each other by setting the EtherType value in the outer tag of the interface on PE2.

Figure 1-386 Networking of configuring the compatibility of the EtherType field in the outer tag of QinQ packets

Interfaces 1 and 2 in this example represent GE0/2/0 and GE0/2/8, respectively.

Device Name	EtherType Value in the Outer Tag	Device Name	EtherType Value in the Outer Tag
PE1	0x9100	CE1	0x8100
PE2	0x8100	CE2	0x9100

Configuration Roadmap

The configuration roadmap is as follows:

Switch PE2's interfaces connected to the CEs into Layer 2 interfaces to ensure Layer 2 connectivity.
Configure the compatibility of the EtherType field in the outer tag of QinQ packets on PE2's interface that connects to CE2 to ensure that the Huawei device and non-Huawei device can interwork with each other.

Data Preparation

To complete the configuration, you need the following data:

Names of the physical interfaces through which PE2 connects to non-Huawei devices
EtherType encapsulation value in the outer tag of non-Huawei devices

Procedure

Switch PE2's interfaces connected to CEs to Layer 2 interfaces.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface gigabitethernet 0/2/0

[*PE2-GigabitEthernet0/2/0] portswitch

[*PE2-GigabitEthernet0/2/0] undo shutdown

[*PE2-GigabitEthernet0/2/0] quit

[*PE2] interface gigabitethernet 0/2/8

[*PE2-GigabitEthernet0/2/8] portswitch

[*PE2-GigabitEthernet0/2/8] undo shutdown

[*PE2-GigabitEthernet0/2/8] quit

[*PE2] commit

Configure the compatibility of the EtherType field in the outer tag of QinQ packets on the interface of PE2 that connects to CE2.

[~PE2] interface gigabitethernet 0/2/0

[*PE2-GigabitEthernet0/2/0] qinq protocol 9100

[*PE2-GigabitEthernet0/2/0] quit

[*PE2] commit

Verify the configuration.

After the configurations are complete, run the display this command on GE 0/2/0 of PE2. The command output shows the information of the interface.

Run the display interface interface-type interface-number command on PE2. The command output shows the EtherType value of the outer VLAN tag.

[~PE2] display interface gigabitethernet0/2/0

GigabitEthernet0/2/0 current state : UP
Line protocol current state : UP (ifindex: 12)
Switch Port, TPID : 9100(Hex), The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc12-3456
Last physical up time   : 0000-00-00 00:00:00
Last physical down time : 0000-00-00 00:00:00
Current system time: 2012-06-28 03:59:19
Statistics last cleared:never
    Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
    Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
    Input peak rate 0 bits/sec, Record time: -
    Output peak rate 0 bits/sec, Record time: -
    Input: 0 bytes, 0 packets
    Output: 0 bytes, 0 packets
    Input:
      Unicast: 0 packets, Multicast: 0 packets
      Broadcast: 0 packets, JumboOctets: 0 packets
      CRC: 0 packets, Symbol: 0 packets
      Overrun: 0 packets, InRangeLength: 0 packets
      LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
      Fragment: 0 packets, Undersized Frame: 0 packets
      RxPause: 0 packets
    Output:
      Unicast: 0 packets, Multicast: 0 packets
      Broadcast: 0 packets, JumboOctets: 0 packets
      Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
      System: 0 packets, Overruns: 0 packets
      TxPause: 0 packets
    Last 300 seconds input utility rate:  0.00%
    Last 300 seconds output utility rate: 0.00%

PE2 configuration file

#
 sysname PE2
#
interface GigabitEthernet 0/2/0
 portswitch
 undo shutdown
 qinq protocol 9100
#
interface GigabitEthernet 0/2/8
 portswitch
 undo shutdown
#
return

Example for Configuring QinQ-based VLAN Tag Swapping for VPLS Access

After QinQ-based VLAN tag swapping is configured on an interface, the interface swaps the inner and outer virtual local area network (VLAN) tags carried in double-tagged packets when receiving them. This configuration does not take effect on single-tagged packets.

Networking Requirements

On the network shown in Figure 1-387, customers 1 to 1000 have three types of services: unicast high-speed Internet (HSI) services, unicast Voice over Internet Protocol (VoIP) services, and multicast Internet Protocol television (IPTV) services.

When customers 1 to 1000 send both unicast and multicast services, CE1 adds to user packets inner VLAN tags indicating the services, and CE3 adds to user packets outer VLAN tags indicating the users. QinQ-based VLAN tag swapping needs to be configured on the user-end provider edge (UPE) to swap the inner and outer VLAN tags in double-tagged packets. As such, the outer tags in the packets indicate the services, and the inner tags indicate the users.

QinQ VLAN tag termination sub-interfaces are created on the UPE based on double VLAN tags in packets from the CE3, and the UPE provides virtual private LAN service (VPLS) access to services through these sub-interfaces.

Provide VPLS access for unicast services.

Create subinterface 1 on the UPE to provide VPLS access for HSI and VoIP services (customer VLANs 1–1000, service VLAN 7) and configure subinterface 1 as a QinQ VLAN tag termination sub-interface in symmetrical mode to terminate the outer VLAN tags of packets. The inner VLAN tags of packets are transparently transmitted to the provider edge-access aggregation gateway (PE-AGG).

Configure subinterface 1 on the PE-AGG as a QinQ VLAN tag termination sub-interface in symmetrical mode. After receiving packets from the UPE, subinterface 1 adds a VLAN tag to each packet and forwards the packets to the Service point of presence (POP).
Provide VPLS access for multicast services.

Create subinterface 2 on the UPE to provide VPLS access for IPTV services (customer VLANs 1–1000, service VLAN 8) and configure subinterface 2 as a QinQ VLAN tag termination sub-interface in asymmetrical mode to terminate the inner and outer VLAN tags of packets.

Configure subinterface 2 on the PE-AGG as a QinQ VLAN tag termination sub-interface in asymmetrical mode. After receiving packets from the UPE, subinterface 2 adds the service VLAN 8 to the packets and forwards the packets to the Service POP.

Figure 1-387 Networking for configuring QinQ-based VLAN tag swapping for VPLS access

Interfaces 1 through 4, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/2/1, GE 0/2/2, GE 0/2/3, GE 0/2/4, GE0/2/1.1, and GE0/2/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure QinQ so that packets received by edge devices on the VPLS network carry double tags.
Configure an Interior Gateway Protocol (IGP) on the Multiprotocol Label Switching (MPLS) backbone network.
Enable basic MPLS functions and Label Distribution Protocol (LDP) on the MPLS backbone network.
Enable MPLS Layer 2 virtual private network (L2VPN).
Create virtual switching instances (VSIs) and specify LDP as the signaling protocol of the VSIs.
Configure VLAN tag swapping and QinQ VLAN tag termination sub-interfaces, and bind the AC interfaces to the VSIs.
Enable Internet Group Management Protocol (IGMP) snooping and configure the static router interface and querier.

Data Preparation

To complete the configuration, you need the following data:

IDs of inner VLAN tags that CE1 and CE2 add to packets to distinguish services
IDs of outer VLAN tags that the CE3 adds to packets to distinguish users
IP address of each interface
VSI ID (which is the same on the UPE and PE-AGG)
MPLS LSR IDs on the UPE and PE-AGG
VSI names on the UPE and PE-AGG
Names of interfaces bound to the VSIs

Procedure

Configure QinQ so that CE3 sends double-tagged packets to the UPE.

Switch Layer 3 interfaces to Layer 2 interfaces.

If the interface is a Layer 2 interface, skip this step.

# Configure CE1.

<*HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/2/1

[*CE1-GigabitEthernet0/2/1] portswitch

[*CE1-GigabitEthernet0/2/1] undo shutdown

[*CE1-GigabitEthernet0/2/1] quit

[*CE1] interface gigabitethernet 0/2/2

[*CE1-GigabitEthernet0/2/2] portswitch

[*CE1-GigabitEthernet0/2/2] undo shutdown

[*CE1-GigabitEthernet0/2/2] quit

[*CE1] interface gigabitethernet 0/2/3

[*CE1-GigabitEthernet0/2/3] portswitch

[*CE1-GigabitEthernet0/2/3] undo shutdown

[*CE1-GigabitEthernet0/2/3] quit

[*CE1] interface gigabitethernet 0/2/4

[*CE1-GigabitEthernet0/2/4] portswitch

[*CE1-GigabitEthernet0/2/4] undo shutdown

[*CE1-GigabitEthernet0/2/4] commit

[~CE1-GigabitEthernet0/2/4] quit

The configurations on CE2 are the same as those on CE1. For details, see "Configuration Files."

# Configure CE3.

<*HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] portswitch

[*CE3-GigabitEthernet0/2/1] undo shutdown

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] interface gigabitethernet 0/2/2

[*CE3-GigabitEthernet0/2/2] portswitch

[*CE3-GigabitEthernet0/2/2] undo shutdown

[*CE3-GigabitEthernet0/2/2] quit

[*CE3] interface gigabitethernet 0/2/3

[*CE3-GigabitEthernet0/2/3] portswitch

[*CE3-GigabitEthernet0/2/3] undo shutdown

[*CE3-GigabitEthernet0/2/3] commit

[~CE3-GigabitEthernet0/2/3] quit

Configure QinQ.

# Configure CE1.

[*CE1] vlan 7

[*CE1-vlan7] port gigabitethernet 0/2/1

[*CE1-vlan7] port gigabitethernet 0/2/2

[*CE1-vlan7] quit

[*CE1] vlan 8

[*CE1-vlan8] port gigabitethernet 0/2/3

[*CE1-vlan8] quit

[*CE1] interface gigabitethernet 0/2/4

[*CE1-GigabitEthernet0/2/4] port trunk allow-pass vlan 7 8

[*CE1-GigabitEthernet0/2/4] undo shutdown

[*CE1-GigabitEthernet0/2/4] commit

[~CE1-GigabitEthernet0/2/4] quit

The configurations on CE2 are the same as those on CE1. For details, see "Configuration Files."

# Configure CE3.

[*CE3] vlan batch 1 to 1000

[*CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] port vlan-stacking vlan 7 to 8 stack-vlan 1

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] interface gigabitethernet 0/2/2

[*CE3-GigabitEthernet0/2/2] port vlan-stacking vlan 7 to 8 stack-vlan 1000

[*CE3-GigabitEthernet0/2/2] quit

[*CE3] interface gigabitethernet 0/2/3

[*CE3-GigabitEthernet0/2/3] port trunk allow-pass vlan 1 to 1000

[*CE3-GigabitEthernet0/2/3] commit

[~CE3-GigabitEthernet0/2/3] quit

Configure an IGP on the MPLS backbone network. In this example, Intermediate System to Intermediate System (IS-IS) is used.

Configure IP addresses for interfaces on the UPE and PE-AGG. Enable IS-IS on the loopback interfaces of these devices.

# Configure the UPE.

<*HUAWEI> system-view

[~HUAWEI] sysname UPE

[*HUAWEI] commit

[~UPE] isis 1

[*UPE-isis-1] is-level level-2

[*UPE-isis-1] network-entity 49.0010.0100.1009.00

[*UPE-isis-1] quit

[*UPE] interface loopback 1

[*UPE-LoopBack1] ip address 1.1.1.9 32

[*UPE-LoopBack1] isis enable 1

[*UPE-LoopBack1] quit

[*UPE] interface gigabitethernet 0/2/2

[*UPE-GigabitEthernet0/2/2] ip address 10.1.1.1 30

[*UPE-GigabitEthernet0/2/2] isis enable 1

[*UPE-GigabitEthernet0/2/2] commit

[~UPE-GigabitEthernet0/2/2] quit

# Configure the PE-AGG.

<*HUAWEI> system-view

[~HUAWEI] sysname PE-AGG

[*HUAWEI] commit

[~PE-AGG] isis 1

[*PE-AGG-isis-1] is-level level-2

[*PE-AGG-isis-1] network-entity 49.0020.0200.1009.00

[*PE-AGG-isis-1] quit

[*PE-AGG] interface LoopBack 1

[*PE-AGG-LoopBack1] ip address 2.2.2.9 32

[*PE-AGG-LoopBack1] isis enable 1

[*PE-AGG-LoopBack1] quit

[*PE-AGG] interface gigabitethernet 0/2/1

[*PE-AGG-GigabitEthernet0/2/1] ip address 10.1.1.2 30

[*PE-AGG-GigabitEthernet0/2/1] isis enable 1

[*PE-AGG-GigabitEthernet0/2/1] commit

[~PE-AGG-GigabitEthernet0/2/1] quit

After the configurations are complete, IS-IS discovers IP routes to Loopback 1 of the UPE and PE-AGG, and the two devices can ping each other.

The command output on the UPE is provided as an example.

<UPE> display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table: Public
         Destinations : 9       Routes : 9

Destination/Mask    Proto    Pre  Cost   Flags NextHop         Interface

        1.1.1.9/32  Direct   0    0      D   127.0.0.1       LoopBack1
        2.2.2.9/32  ISIS-L2  15   10     D   10.1.1.2        GigabitEthernet0/2/1
       10.1.1.0/24  Direct   0    0      D   10.1.1.1        GigabitEthernet0/2/2
       10.1.1.1/32  Direct   0    0      D   127.0.0.1       GigabitEthernet0/2/2
     10.1.1.255/32  Direct   0    0      D   127.0.0.1       GigabitEthernet0/2/2
       127.0.0.0/8  Direct   0    0      D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct   0    0      D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct   0    0      D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct   0    0      D   127.0.0.1       InLoopBack0

Enable basic MPLS functions and LDP on the MPLS backbone network.

# Configure the UPE.

[*UPE] mpls lsr-id 1.1.1.9

[*UPE] mpls

[*UPE-mpls] quit

[*UPE] mpls ldp

[*UPE-mpls-ldp] quit

[*UPE] interface gigabitethernet 0/2/2

[*UPE-GigabitEthernet0/2/2] mpls

[*UPE-GigabitEthernet0/2/2] mpls ldp

[*UPE-GigabitEthernet0/2/2] commit

[~UPE-GigabitEthernet0/2/2] quit

# Configure the PE-AGG.

[*PE-AGG] mpls lsr-id 2.2.2.9

[*PE-AGG] mpls

[*PE2-mpls] quit

[*PE-AGG] mpls ldp

[*PE-AGG-mpls-ldp] quit

[*PE-AGG] interface gigabitethernet 0/2/1

[*PE-AGG-GigabitEthernet0/2/1] mpls

[*PE-AGG-GigabitEthernet0/2/1] mpls ldp

[*PE-AGG-GigabitEthernet0/2/1] commit

[~PE-AGG-GigabitEthernet0/2/1] quit

After the configurations are complete, an LDP session is established between the UPE and PE-AGG. The display mpls ldp session command output shows that the Status field is Operational.

The command output on the UPE is provided as an example.

<UPE> display mpls ldp session

LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
 ------------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:20:19  4880/4880
 ------------------------------------------------------------------------------
 TOTAL: 1 session(s) Found.

If the UPE and PE-AGG are not directly connected, run the mpls ldp remote-peer and remote-ip commands on these devices to establish a remote LDP session between them.

Enable MPLS L2VPN on the UPE and PE-AGG.
# Configure the UPE.
```
[*UPE] mpls l2vpn
```
# Configure the PE-AGG.
```
[*PE-AGG] mpls l2vpn
```

Create VSIs and specify LDP as the signaling protocol of VSIs.

# Configure the UPE.

[*UPE] vsi ldp1 static

[*UPE-vsi-ldp1] pwsignal ldp

[*UPE-vsi-ldp1-ldp] vsi-id 1

[*UPE-vsi-ldp1-ldp] peer 2.2.2.9

[*UPE-vsi-ldp1-ldp] quit

[*UPE-vsi-ldp1] quit

[*UPE] vsi ldp2 static

[*UPE-vsi-ldp2] pwsignal ldp

[*UPE-vsi-ldp2-ldp] vsi-id 2

[*UPE-vsi-ldp2-ldp] peer 2.2.2.9

[*UPE-vsi-ldp2-ldp] commit

[~UPE-vsi-ldp2-ldp] quit

[*UPE-vsi-ldp2] quit

# Configure the PE-AGG.

[*PE-AGG] vsi ldp1 static

[*PE-AGG-vsi-ldp1] pwsignal ldp

[*PE-AGG-vsi-ldp1-ldp] vsi-id 1

[*PE-AGG-vsi-ldp1-ldp] peer 1.1.1.9

[*PE-AGG-vsi-ldp1-ldp] quit

[*PE-AGG-vsi-ldp1] quit

[*PE-AGG] vsi ldp2 static

[*PE-AGG-vsi-ldp2] pwsignal ldp

[*PE-AGG-vsi-ldp2-ldp] vsi-id 2

[*PE-AGG-vsi-ldp2-ldp] peer 1.1.1.9

[*PE-AGG-vsi-ldp2-ldp] commit

[~PE-AGG-vsi-ldp2-ldp] quit

[*PE-AGG-vsi-ldp12] quit

Configure VLAN tag swapping on AC interfaces on the UPE, configure QinQ VLAN tag termination sub-interfaces on the UPE and PE-AGG, and bind the VSIs to the AC sub-interfaces on the UPE and PE-AGG.

# Configure the UPE.

[*UPE] interface gigabitethernet 0/2/1

[*UPE-GigabitEthernet0/2/1] vlan-swap enable

[*UPE-GigabitEthernet0/2/1] quit

[*UPE] interface gigabitethernet 0/2/1.1

[*UPE-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*UPE-GigabitEthernet0/2/1.1] qinq termination l2 symmetry

[*UPE-GigabitEthernet0/2/1.1] qinq termination pe-vid 7 ce-vid 1 to 1000

[*UPE-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*UPE-GigabitEthernet0/2/1.1] quit

[*UPE] interface gigabitethernet 0/2/1.2

[*UPE-GigabitEthernet0/2/1.2] control-vid 2 qinq-termination

[*UPE-GigabitEthernet0/2/1.2] qinq termination pe-vid 8 ce-vid 1 to 1000

[*UPE-GigabitEthernet0/2/1.2] l2 binding vsi ldp2

[*UPE-GigabitEthernet0/2/1.2] commit

[~UPE-GigabitEthernet0/2/1.2] quit

# Configure the PE-AGG.

[*PE-AGG] interface gigabitethernet 0/2/2.1

[*PE-AGG-GigabitEthernet0/2/2.1] control-vid 1 qinq-termination

[*PE-AGG-GigabitEthernet0/2/2.1] qinq termination l2 symmetry

[*PE-AGG-GigabitEthernet0/2/2.1] qinq termination pe-vid 7 ce-vid 1 to 1000

[*PE-AGG-GigabitEthernet0/2/2.1] l2 binding vsi ldp1

[*PE-AGG-GigabitEthernet0/2/2.1] undo shutdown

[*PE-AGG-GigabitEthernet0/2/2.1] quit

[*PE-AGG] interface gigabitethernet 0/2/2.2

[*PE-AGG-GigabitEthernet0/2/2.2] control-vid 2 qinq-termination

[*PE-AGG-GigabitEthernet0/2/2.2] qinq termination pe-vid 8 ce-vid 1 to 1000

[*PE-AGG-GigabitEthernet0/2/2.2] l2 binding vsi ldp2

[*PE-AGG-GigabitEthernet0/2/2.2] undo shutdown

[*PE-AGG-GigabitEthernet0/2/2.2] commit

[~PE-AGG-GigabitEthernet0/2/2.2] quit

When you run the qinq termination command on sub-interfaces of the same interface and specify the same pe-vid value on the sub-interfaces, the ce-vid value ranges must be different.

After the configurations are complete, run the display vsi name ldp1 verbose command on the UPE. The command output shows that a PW has been established between the VSI named ldp1 and the PE-AGG and that VSI is Up.

[UPE] display vsi name ldp1 verbose

***VSI Name               : ldp1
    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 0
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    Flow Label             : disable
    Create Time            : 0 days, 20 hours, 41 minutes, 53 seconds
    VSI State              : up
    Resource Status        : Valid

    VSI ID                 : 1
   *Peer Router ID         : 2.2.2.9
    VC Label               : 211968
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x90014010
    Broadcast Tunnel ID    : 0x90014010
    Broad BackupTunnel ID  : 0x0
    CKey                   : 11
    NKey                   : 10
    StpEnable              : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/2/1.1
    State                  : up
    Last Up Time           : 2010/01/07 13:54:52
    Total Up Time          : 0 days, 3 hours, 6 minutes, 23 seconds

   **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 211968
    Remote VC Label        : 294912
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x90014010
    Broadcast Tunnel ID    : 0x90014010
    Broad BackupTunnel ID  : 0x0
    Ckey                   : 0xb
    Nkey                   : 0xa
    Main PW Token          : 0x90014010
    Slave PW Token         : 0x0
    Tnl Type               : LSP
    OutInterface           : GigabitEthernet0/2/2
    Backup OutInterface    :
    Stp Enable             : 0
    Mac Flapping           : 0
    Flow Label             : disable
    PW Last Up Time        : 2010/01/07 14:09:29
    PW Total Up Time       : 0 days, 20 hours, 22 minutes, 2 seconds

Enable IGMP snooping on the UPE and PE-AGG, configure the PW on the UPE as a static router interface, and configure a querier on the PE-AGG. Use default values for parameters of the querier.

# Configure the UPE.

[*UPE] igmp-snooping enable

[*UPE] vsi ldp2

[*UPE-vsi-ldp2] igmp-snooping enable

[*UPE-vsi-ldp2] igmp-snooping version 3

[*UPE-vsi-ldp2] igmp-snooping static-router-port remote-peer 2.2.2.9

[*UPE-vsi-ldp2] commit

[~UPE-vsi-ldp2] quit

# Configure the PE-AGG.

[*PE-AGG] igmp-snooping enable

[*PE-AGG] vsi ldp2

[*PE-AGG-vsi-ldp2] igmp-snooping enable

[*PE-AGG-vsi-ldp2] igmp-snooping version 3

[*PE-AGG-vsi-ldp2] quit

[*PE-AGG] igmp-snooping send-query enable

[*PE-AGG] vsi ldp2

[*PE-AGG-vsi-ldp2] igmp-snooping querier enable

[*PE-AGG-vsi-ldp2] commit

[~PE-AGG-vsi-ldp2] quit

Run the display igmp-snooping querier vsi command on the PE-AGG to check whether the querier is configured. If the command output shows Enable, the querier is enabled for VSI ldp2.

<PE-AGG> display igmp-snooping querier vsi ldp2

VSI                             Querier-state Querier
---------------------------------------------------------------
ldp2                             Enable       192.168.0.1

Run the display igmp-snooping router-port vsi command on the UPE to check whether the static router interface is configured. If the command output shows STATIC, the PW (2.2.2.9/2) interface is a static router interface.

<UPE> display igmp-snooping router-port vsi ldp2

Port Name                       UpTime        Expires       Flags
 ---------------------------------------------------------------------
 VSI ldp2, 1 router-port(s)
 PW(2.2.2.9/2)                   01:18:10      --            STATIC | DYNAMIC

Verify the configuration.

Run the display qinq information termination interface command to view information about QinQ VLAN tag termination sub-interfaces.

The command output on the UPE is provided as an example.

<UPE> display qinq information termination interface gigabitethernet 0/2/1

GigabitEthernet0/2/1.1
    VSI bound
    qinq termination l2 symmetry
    Total QinQ Num: 1
      qinq termination pe-vid 7 ce-vid 1
    Total vlan-group Num: 0
    control-vid 1 qinq-termination
    vlan-swap enable
GigabitEthernet0/2/1.2
    VSI bound
    Total QinQ Num: 1
      qinq termination pe-vid 7 ce-vid 1
    Total vlan-group Num: 0
    control-vid 1 qinq-termination
    vlan-swap enable

After a member joins a multicast group, run the display igmp-snooping port-info command on the UPE to view information about the Layer 2 multicast interface.

<UPE> display igmp-snooping port-info

 -----------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -----------------------------------------------------------------------
 VSI ldp2, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)  GE0/2/1.2(PE:8/CE:1000)       -D-
                                                    1 port(s)
 -----------------------------------------------------------------------

<UPE> display igmp-snooping port-info slot 2

 -----------------------------------------------------------------------------------
  Flag: S:Static     D:Dynamic     M:Ssm-mapping
        A:Active     P:Protocol    F:Fast-channel                                
                    (Source, Group)  Port                                      Flag
 -----------------------------------------------------------------------
 VSI ldp2, 1 Entry(s)
                (1.1.1.1, 234.1.1.1)                                P--
                                      GE0/2/111.2(PE:8/CE:1000)       -D-
                                                1 port(s) include
 -----------------------------------------------------------------------

Configuration Files

CE1 configuration file

 sysname CE1

 vlan batch 7 to 8

 interface gigabitethernet 0/2/1

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/2/2

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/2/3

 undo shutdown

 portswitch

 port default vlan 8

 interface gigabitethernet 0/2/4

 undo shutdown

 portswitch

 port trunk allow-pass vlan 7 to 8

 return

CE2 configuration file

 sysname CE2

 vlan batch 7 to 8

 interface gigabitethernet 0/2/1

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/2/2

 undo shutdown

 portswitch

 port default vlan 7

 interface gigabitethernet 0/2/3

 undo shutdown

 portswitch

 port default vlan 8

 interface gigabitethernet 0/2/4

 undo shutdown

 portswitch

 port trunk allow-pass vlan 7 to 8

 return

CE3 configuration file

 sysname CE3

 vlan batch 1 to 1000

 interface gigabitethernet 0/2/1

 undo shutdown

 portswitch

 port vlan-stacking vlan 7 to 8 stack-vlan 1

 interface gigabitethernet 0/2/2

 undo shutdown

 portswitch

 port vlan-stacking vlan 7 to 8 stack-vlan 1000

 interface gigabitethernet 0/2/3

 undo shutdown

 portswitch

 port trunk allow-pass vlan 1 to 1000

 return

UPE configuration file

 sysname UPE

 igmp-snooping enable

 mpls lsr-id 1.1.1.9

 mpls

 mpls l2vpn

 vsi ldp1 static

  pwsignal ldp

   vsi-id 1

   peer 2.2.2.9

 vsi ldp2 static

  pwsignal ldp

   vsi-id 2

   peer 2.2.2.9

  admin-vsi

   igmp-snooping enable

   igmp-snooping version 3

   igmp-snooping static-router-port remote-peer 2.2.2.9

 mpls ldp

 isis 1

  is-level level-2

  network-entity 49.0010.0100.1009.00

 interface GigabitEthernet0/2/1

 undo shutdown

 interface GigabitEthernet0/2/1.1

 encapsulation qinq-termination

 vlan-swap enable

 qinq termination l2 symmetry

 qinq termination pe-vid 7 ce-vid 1 to 1000

 l2 binding vsi ldp1

 interface GigabitEthernet0/2/1.2

 encapsulation qinq-termination

 vlan-swap enable

 qinq termination pe-vid 8 ce-vid 1 to 1000

 l2 binding vsi ldp2

 interface GigabitEthernet0/2/2

  undo shutdown

  ip address 10.1.1.1 255.255.255.252

  isis enable 1

  mpls

  mpls ldp

 interface LoopBack1

  ip address 1.1.1.9 255.255.255.255

  isis enable 1

return

PE-AGG configuration file

 sysname PE-AGG

 igmp-snooping enable

 igmp-snooping send-query enable

 mpls lsr-id 2.2.2.9

 mpls

 mpls l2vpn

 vsi ldp1 static

  pwsignal ldp

   vsi-id 1

   peer 1.1.1.9

 vsi ldp2 static

  pwsignal ldp

   vsi-id 2

   peer 1.1.1.9

   igmp-snooping enable

   igmp-snooping version 3

   igmp-snooping querier enable

 mpls ldp

 isis 1

  is-level level-2

  network-entity 49.0020.0200.1009.00

 interface GigabitEthernet0/2/1

  undo shutdown

  ip address 10.1.1.2 255.255.255.252

  isis enable 1

  mpls

  mpls ldp

 interface GigabitEthernet0/2/2

  undo shutdown

 interface GigabitEthernet0/2/2.1

  encapsulation qinq-termination

  qinq termination l2 symmetry

  qinq termination pe-vid 7 ce-vid 1 to 1000

  l2 binding vsi ldp1

 interface GigabitEthernet0/2/2.2

  encapsulation qinq-termination

  qinq termination pe-vid 8 ce-vid 1 to 1000

  l2 binding vsi ldp2

 interface LoopBack1

  ip address 2.2.2.9 255.255.255.255

  isis enable 1

 return

Example for Configuring a Dot1q VLAN Tag Termination Sub-interface to Support Proxy ARP

This example shows how to configure a dot1q VLAN tag termination sub-interface to support proxy ARP, and how to enable the interworking between users who are on the same network segment but different VLANs.

Networking Requirements

A range of VLANs can connect to a network segment using VLAN tag termination sub-interfaces. However, if users on the same network segment belong to different VLANs, these users cannot communicate at Layer 2, and rely on IP forwarding at Layer 3 to communicate with each other. You can configure VLAN tag termination sub-interfaces to support proxy ARP so that users from different VLANs can communicate.

On the network shown in Figure 1-388, the PE connects to the CE through an Ethernet sub-interface; the CE connects to both PC1 and PC2. PC1 and PC2 belong to the same network segment but are on different VLANs. PC1 and PC2 have no default gateway. In this situation, you can configure GE 0/2/1.1 on the PE as a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface so that PC1 and PC2 can communicate.

Figure 1-388 Typical networking for configuring the dot1q VLAN tag termination sub-interface to support proxy ARP

Interfaces 1 through 3 and subinterface1.1 in this example represent GE0/2/1, GE0/2/2, GE0/2/3, and GE0/2/1.1, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Create VLANs on the CE and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on the CE and allows packets from user VLANs to pass through.
Configure a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface on the PE so that users from different VLANs can communicate.

Data Preparation

To complete the configuration, you need the following data:

User VLAN IDs
User IP addresses
Names of interfaces that connect the PE and the CE
Names of interfaces that connect the CE to PCs

Procedure

Create a VLAN on the CE and associate a Layer 2 interface with the VLAN.

<HUAWEI> system-view

[~HUAWEI] sysname CE

[*HUAWEI] commit

[~CE] vlan batch 10 20

[*CE] interface gigabitethernet 0/2/1

[*CE-GigabitEthernet0/2/1] portswitch

[*CE-GigabitEthernet0/2/1] undo shutdown

[*CE-GigabitEthernet0/2/1] port link-type access

[*CE-GigabitEthernet0/2/1] port default vlan 10

[*CE-GigabitEthernet0/2/1] quit

[*CE] interface gigabitethernet 0/2/2

[*CE-GigabitEthernet0/2/2] portswitch

[*CE-GigabitEthernet0/2/2] undo shutdown

[*CE-GigabitEthernet0/2/2] port link-type access

[*CE-GigabitEthernet0/2/2] port default vlan 20

[*CE-GigabitEthernet0/2/2] quit

[*CE] commit

Configure Layer 2 forwarding on the CE.

[~CE] interface gigabitethernet 0/2/3

[*CE-GigabitEthernet0/2/3] portswitch

[*CE-GigabitEthernet0/2/3] undo shutdown

[*CE-GigabitEthernet0/2/3] port link-type trunk

[*CE-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*CE-GigabitEthernet0/2/3] quit

[*CE] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a dot1q VLAN tag termination sub-interface and enable proxy ARP on the sub-interface on the PE.

<HUAWEI> system-view

[~HUAWEI] sysname PE

[*HUAWEI] commit

[~PE] interface gigabitethernet 0/2/1

[*PE-GigabitEthernet0/2/1] undo shutdown

[*PE] interface gigabitethernet 0/2/1.1

[*PE-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE-GigabitEthernet0/2/1.1] dot1q termination vid 20

[*PE-GigabitEthernet0/2/1.1] ip address 10.1.1.254 24

[*PE-GigabitEthernet0/2/1.1] arp-proxy inter-sub-vlan-proxy enable

[*PE-GigabitEthernet0/2/1.1] arp broadcast enable

[*PE-GigabitEthernet0/2/1.1] quit

[*PE] commit

Verify the configuration.
Verify that PC1 can ping PC2.

Check the ARP table on PC1. If the MAC address of PC2 is the MAC address of GE 0/2/1 on the PE, the configuration is correct.

Configuration Files

PE configuration file

#
 sysname PE
#
interface GigabitEthernet0/2/1
 undo shutdown
interface GigabitEthernet0/2/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 ip address 10.1.1.254 255.255.255.0
 arp-proxy inter-sub-vlan-proxy enable
 arp broadcast enable
#
return

CE configuration file

#
 sysname CE
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-interface to Access an L3VPN

This section describes how to configure a dot1q VLAN tag termination sub-interface to provide Layer 3 virtual private network (L3VPN) access and how to ensure that users communicate over the L3VPN using single-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

On the network shown in Figure 1-389, the CEs connect to the PEs through the routers, and the routers access the L3VPN through dot1q VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry one VLAN tag. To ensure that user networks on which CE1 and CE2 reside can communicate and that user networks on which CE3 and CE4 reside can communicate, configure dot1q VLAN tag termination sub-interfaces on PE1 and PE2 and bind these sub-interfaces to virtual private network (VPN) instances to provide L3VPN access.

Figure 1-389 Typical networking for configuring the dot1q VLAN tag termination sub-interface to provide L3VPN access

Interfaces 1 through 3, subinterface1.1, and subinterface1.2 in this example represent GE0/2/1, GE0/2/2, GE0/2/3, GE0/2/1.1, and GE0/2/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses for interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs on Device A and Device B and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on Device A and Device B so that packets sent by Device A to PE1 and packets sent by Device B to PE2 carry one VLAN tag.
Configure L3VPN services on PE1, the P, and PE2, configure dot1q VLAN tag termination sub-interfaces on PE1 and PE2, and bind these sub-interfaces to VPN instances so that users can communicate over the L3VPN.
1. Configure a routing protocol on PE1, the P, and PE2 to ensure Layer 3 connectivity.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on PE1, the P, and PE2 and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Configure VPN instances and dot1q VLAN tag termination sub-interfaces on PE1 and PE2, bind these sub-interfaces to the VPN instances to provide L3VPN access.
4. Establish a Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationship between the PEs so that users in the same VPN instance can communicate.
5. Establish External BGP (EBGP) peer relationships between the PEs and CEs to exchange VPN routes so that the CEs can communicate.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers to the CEs
Names and IP addresses of the interfaces that connect the PEs to the CEs
Names and IP addresses of the interfaces that connect PE1 and PE2
MPLS LSR IDs of the PEs and P, names of VPN instances on the PEs, and VPN targets of VPN routes

Procedure

Configure IP addresses for interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/2/1

[*CE1-GigabitEthernet0/2/1] undo shutdown

[*CE1-GigabitEthernet0/2/1] ip address 10.1.1.2 24

[*CE1-GigabitEthernet0/2/1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/2/1

[*CE2-GigabitEthernet0/2/1] undo shutdown

[*CE2-GigabitEthernet0/2/1] ip address 10.2.1.2 24

[*CE2-GigabitEthernet0/2/1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] undo shutdown

[*CE3-GigabitEthernet0/2/1] ip address 10.3.1.2 24

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/2/1

[*CE4-GigabitEthernet0/2/1] undo shutdown

[*CE4-GigabitEthernet0/2/1] ip address 10.4.1.2 24

[*CE4-GigabitEthernet0/2/1] quit

[*CE4] commit

Create VLANs on the routers and associate Layer 2 interfaces with the VLANs.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/2/1

[*DeviceA-GigabitEthernet0/2/1] undo shutdown

[*DeviceA-GigabitEthernet0/2/1] portswitch

[*DeviceA-GigabitEthernet0/2/1] port link-type access

[*DeviceA-GigabitEthernet0/2/1] port default vlan 10

[*DeviceA-GigabitEthernet0/2/1] quit

[*DeviceA] interface gigabitethernet 0/2/2

[*DeviceA-GigabitEthernet0/2/2] undo shutdown

[*DeviceA-GigabitEthernet0/2/2] portswitch

[*DeviceA-GigabitEthernet0/2/2] port link-type access

[*DeviceA-GigabitEthernet0/2/2] port default vlan 20

[*DeviceA-GigabitEthernet0/2/2] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/2/1

[*DeviceB-GigabitEthernet0/2/1] undo shutdown

[*DeviceB-GigabitEthernet0/2/1] portswitch

[*DeviceB-GigabitEthernet0/2/1] port link-type access

[*DeviceB-GigabitEthernet0/2/1] port default vlan 10

[*DeviceB-GigabitEthernet0/2/1] quit

[*DeviceB] interface gigabitethernet 0/2/2

[*DeviceB-GigabitEthernet0/2/2] undo shutdown

[*DeviceB-GigabitEthernet0/2/2] portswitch

[*DeviceB-GigabitEthernet0/2/2] port link-type access

[*DeviceB-GigabitEthernet0/2/2] port default vlan 20

[*DeviceB-GigabitEthernet0/2/2] quit

[*DeviceB] commit

Configure Layer 2 forwarding on the routers.

# Configure Device A.

[~DeviceA] interface gigabitethernet 0/2/3

[*DeviceA-GigabitEthernet0/2/3] undo shutdown

[*DeviceA-GigabitEthernet0/2/3] portswitch

[*DeviceA-GigabitEthernet0/2/3] port link-type trunk

[*DeviceA-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/2/3] quit

[*DeviceA] commit

# Configure Device B.

[~DeviceB] interface gigabitethernet 0/2/3

[*DeviceB-GigabitEthernet0/2/3] undo shutdown

[*DeviceB-GigabitEthernet0/2/3] portswitch

[*DeviceB-GigabitEthernet0/2/3] port link-type trunk

[*DeviceB-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/2/3] quit

[*DeviceB] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure an L3VPN.

Configure OSPF on PE1, the P, and PE2.

Assign an IP address to each interface on the PEs and P. Make sure that the 32-bit loopback addresses of PE1, the P, and PE2 are advertised after OSPF is enabled.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/2/2] undo shutdown

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure the P.

<HUAWEI> system-view

[~HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface LoopBack 1

[*P-LoopBack1] ip address 2.2.2.9 32

[*P-LoopBack1] quit

[*P] interface gigabitethernet 0/2/1

[*P-GigabitEthernet0/2/1] ip address 192.168.1.2 24

[*P-GigabitEthernet0/2/1] undo shutdown

[*P-GigabitEthernet0/2/1] quit

[*P] interface gigabitethernet 0/2/2

[*P-GigabitEthernet0/2/2] ip address 192.168.2.1 24

[*P-GigabitEthernet0/2/2] undo shutdown

[*P-GigabitEthernet0/2/2] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] quit

[*P] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 1

[*PE2-LoopBack1] ip address 3.3.3.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/2/2] undo shutdown

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

After the configurations are complete, PE1 and PE2 have OSPF routes to the loopback interface of each other. PE1 and PE2 can ping each other.

The following example uses the command output on PE1.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 11       Routes : 11

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/2/2
        3.3.3.9/32  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/2/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
    192.168.2.0/24  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=2 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/5 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] mpls

[*PE1-GigabitEthernet0/2/2] mpls ldp

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] commit

# Configure the P.

[~P] mpls lsr-id 2.2.2.9

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet0/2/1

[*P-GigabitEthernet0/2/1] mpls

[*P-GigabitEthernet0/2/1] mpls ldp

[*P-GigabitEthernet0/2/1] quit

[*P] interface gigabitethernet0/2/2

[*P-GigabitEthernet0/2/2] mpls

[*P-GigabitEthernet0/2/2] mpls ldp

[*P-GigabitEthernet0/2/2] quit

[*P] commit

# Configure PE2.

[~PE2] mpls lsr-id 3.3.3.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] mpls

[*PE2-GigabitEthernet0/2/2] mpls ldp

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] commit

After the configurations are complete, LDP sessions are set up between PE1 and the P and between PE2 and the P. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

The following example uses the command output on PE1.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
-------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0         Operational  DU   Passive  0000:00:00   5/5
 3.3.3.9:0         Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

Configure VPN instances and bind the dot1q VLAN tag termination sub-interfaces to these VPN instances.

# Configure PE1.

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1-vpn-instance-vpn1] quit

[*PE1] interface gigabitethernet 0/2/1

[*PE1-GigabitEthernet0/2/1] undo shutdown

[*PE1-GigabitEthernet0/2/1] quit

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE1-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/2/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/2/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 200:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] quit

[*PE1-vpn-instance-vpn2] quit

[*PE1] interface gigabitethernet 0/2/1.2

[*PE1-GigabitEthernet0/2/1.2] control-vid 2 dot1q-termination

[*PE1-GigabitEthernet0/2/1.2] dot1q termination vid 20

[*PE1-GigabitEthernet0/2/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/2/1.2] ip address 10.3.1.1 24

[*PE1-GigabitEthernet0/2/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/2/1.2] quit

[*PE1] commit

# Configure PE2.

[~PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] quit

[*PE2-vpn-instance-vpn1] quit

[*PE2] interface gigabitethernet 0/2/1

[*PE2-GigabitEthernet0/2/1] undo shutdown

[*PE2-GigabitEthernet0/2/1] quit

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE2-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE2-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/2/1.1] ip address 10.2.1.1 24

[*PE2-GigabitEthernet0/2/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/2/1.1] quit

[*PE2] ip vpn-instance vpn2

[*PE2-vpn-instance-vpn2] route-distinguisher 200:2

[*PE2-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE2-vpn-instance-vpn2-af-ipv4] quit

[*PE2-vpn-instance-vpn2] quit

[*PE2] interface gigabitethernet 0/2/1.2

[*PE2-GigabitEthernet0/2/1.2] control-vid 2 dot1q-termination

[*PE2-GigabitEthernet0/2/1.2] dot1q termination vid 20

[*PE2-GigabitEthernet0/2/1.2] ip binding vpn-instance vpn2

[*PE2-GigabitEthernet0/2/1.2] ip address 10.4.1.1 24

[*PE2-GigabitEthernet0/2/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/2/1.2] quit

[*PE2] commit

The vid values of sub-interfaces on a main interface must be different.

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

The following example uses the command output on PE1.

[~PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0
 VPN-Instance Name and ID : vpn1, 1
  Interfaces : GigabitEthernet0/2/1.1
 Address family ipv4
  Create date : 2012-07-18 14:34:48
  Up time : 0 days, 00 hours, 07 minutes and 54 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets : 100:1
  Import VPN Targets : 100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

 VPN-Instance Name and ID : vpn2, 2
  Interfaces : GigabitEthernet0/2/1.2
 Address family ipv4
  Create date : 2012-07-18 14:38:44
  Up time : 0 days, 00 hours, 03 minutes and 58 seconds
  Vrf Status : UP
  Route Distinguisher : 200:2
  Export VPN Targets : 200:2
  Import VPN Targets : 200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

Set up an MP-IBGP peer relationship between the PEs.

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] peer 3.3.3.9 as-number 100

[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1

[*PE1-bgp] ipv4-family vpnv4

[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[*PE1-bgp-af-vpnv4] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] peer 1.1.1.9 as-number 100

[*PE2-bgp] peer 1.1.1.9 connect-interface loopback 1

[*PE2-bgp] ipv4-family vpnv4

[*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[*PE2-bgp-af-vpnv4] quit

[*PE2-bgp] quit

[*PE2] commit

After the configurations are complete, run the display bgp peer command on the PEs. The command outputs show that a BGP peer relationship is established between the PEs and is in the Established state.

[~PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State   PrefRcv
  3.3.3.9         4         100        4        4     0 00:00:33 Established    0

Set up EBGP peer relationships between the PEs and CEs and import VPN routes.

# Configure CE1.

[~CE1] bgp 65410

[*CE1-bgp] peer 10.1.1.1 as-number 100

[*CE1-bgp] import-route direct

[*CE1-bgp] quit

[*CE1] commit

# Configure CE2.

[~CE2] bgp 65420

[*CE2-bgp] peer 10.2.1.1 as-number 100

[*CE2-bgp] import-route direct

[*CE2-bgp] quit

[*CE2] commit

# Configure CE3.

[~CE3] bgp 65411

[*CE3-bgp] peer 10.3.1.1 as-number 100

[*CE3-bgp] import-route direct

[*CE3-bgp] quit

[*CE3] commit

# Configure CE4.

[~CE4] bgp 65421

[*CE4-bgp] peer 10.4.1.1 as-number 100

[*CE4-bgp] import-route direct

[*CE4-bgp] quit

[*CE4] commit

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] ipv4-family vpn-instance vpn1

[*PE1-bgp-vpn1] peer 10.1.1.2 as-number 65410

[*PE1-bgp-vpn1] import-route direct

[*PE1-bgp-vpn1] quit

[*PE1-bgp] ipv4-family vpn-instance vpn2

[*PE1-bgp-vpn2] peer 10.3.1.2 as-number 65411

[*PE1-bgp-vpn2] import-route direct

[*PE1-bgp-vpn2] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] ipv4-family vpn-instance vpn1

[*PE2-bgp-vpn1] peer 10.2.1.2 as-number 65420

[*PE2-bgp-vpn1] import-route direct

[*PE2-bgp-vpn1] quit

[*PE2-bgp] ipv4-family vpn-instance vpn2

[*PE2-bgp-vpn2] peer 10.4.1.2 as-number 65421

[*PE2-bgp-vpn2] import-route direct

[*PE2-bgp-vpn2] quit

[*PE2-bgp] quit

[*PE2] commit

After the configurations are complete, run the display bgp vpnv4 vpn-instance peer command on the PEs. The command outputs show that BGP peer relationships have been established between the PEs and CEs and are in the Established state.

Use the BGP peer relationship between PE1 and CE1 as an example.

[~PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9
Local AS number : 100

 VPN-Instance vpn1, router ID 1.1.1.9:
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS    MsgRcvd  MsgSent  OutQ  Up/Down     State         PrefRcv
  10.1.1.2        4         65410     6        7       0 00:02:58      Established    1

After the configurations are complete, the PEs can ping the CEs connected to them.

If multiple interfaces on a PE are bound to the same VPN instance, to ping the CE connected to the PE, specify the source IP address (namely, -a source-ip-address) in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command. If you do not specify the source IP address, the ping operation may fail.

The following example uses the command output on PE1.

[*PE1] ping -vpn-instance vpn1 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=60 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/54/60 ms

Verify the configuration.

Run the display dot1q information termination command to view information about dot1q VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the L3VPN.

The following example uses the command output on PE1.

[*PE1] display dot1q information termination interface gigabitethernet 0/2/1

  GigabitEthernet0/2/1.1
    L3VPN bound
    Total QinQ Num: 1
      dot1q  termination vid 10
    Total vlan-group Num: 0
    encapsulation dot1q-termination
  GigabitEthernet0/2/1.2
    L3VPN bound
    Total QinQ Num: 1
      dot1q  termination vid 20
    Total vlan-group Num: 0
    encapsulation dot1q-termination

Hosts attached to CE1 and CE2 can ping each other. Hosts attached to CE3 and CE4 can also ping each other. CE1 and CE2 cannot communicate with CE3 and CE4 because they belong to different VPN instances.

On the PEs, you can view the corresponding ARP entries. Use PE1 as an example.

[*PE1] display arp slot 2

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  VLAN/CEVLAN PVC
------------------------------------------------------------------------------------------------------
192.168.1.1     00e0-fc12-3458            I -         GE0/2/2
192.168.1.2     00e0-fc12-3457  20        D-9         GE0/2/2
10.1.1.1       00e0-fc12-3459            I -         GE0/2/1.1       vpn1
10.1.1.2        00e0-fc12-3456  20        D-9         GE0/2/1.1       vpn1            10/-
10.3.1.1       00e0-fc12-3459            I -         GE0/2/1.2       vpn2
10.3.1.2        00e0-fc12-3456  20        D-9         GE0/2/1.2       vpn2            20/-
-----------------------------------------------------------------------------------------------------
Total:6         Dynamic:3       Static:0    Interface:3

Configuration Files

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
bgp 65410
 peer 10.1.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization  
  import-route direct
  peer 10.1.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
bgp 65420
 peer 10.2.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
   peer 10.2.1.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.3.1.2 255.255.255.0
#
bgp 65411
 peer 10.3.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.1 enable
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.4.1.2 255.255.255.0
#
bgp 65421
 peer 10.4.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.4.1.1 enable
#
return

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 arp broadcast enable
#
interface GigabitEthernet0/2/1.2
 ip binding vpn-instance vpn2
 ip address 10.3.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 20
 arp broadcast enable
#
interface GigabitEthernet0/2/2
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.1.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.3.1.2 as-number 65411
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

P configuration file

#
 sysname P
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn1
 ip address 10.2.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 10
 arp broadcast enable
#
interface GigabitEthernet0/2/1.2
 ip binding vpn-instance vpn2
 ip address 10.4.1.1 255.255.255.0
 encapsulation dot1q-termination
 dot1q termination vid 20
 arp broadcast enable
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.2.1.2 as-number 65420
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.4.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.2.0 0.0.0.255
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-interface to Access an L3VPN

This section describes how to configure a QinQ VLAN tag termination sub-interface to provide Layer 3 virtual private network (L3VPN) access and how to ensure that users communicate over the L3VPN using double-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access an L3VPN network, this sub-interface needs to be bound to a VPN instance to enable Layer 3 communication.

On the network shown in Figure 1-390, the CEs connect to the PEs through the routers, and the routers access the L3VPN through QinQ VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry two VLAN tags. To ensure that user networks on which CE1 and CE2 reside can communicate and that user networks on which CE3 and CE4 reside can communicate, configure QinQ VLAN tag termination sub-interfaces on PE1 and PE2 and bind these sub-interfaces to virtual private network (VPN) instances to provide L3VPN access.

Figure 1-390 Typical networking for configuring the QinQ VLAN tag termination sub-interface to provide L3VPN access

Interfaces 1 through 3, sub-interface 1.1, and sub-interface 1.2 in this example represent GE 0/2/1, GE 0/2/2, GE 0/2/3, GE 0/2/1.1, and GE 0/2/1.2, respectively.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Layer 2 forwarding function on the CEs so that the packets sent by the CEs to the routers carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on Device A and Device B so that packets sent by Device A to PE1 and packets sent by Device B to PE2 carry two VLAN tags.
Configure L3VPN services on PE1, the P, and PE2, configure QinQ VLAN tag termination sub-interfaces on PE1 and PE2, and bind these sub-interfaces to VPN instances so that users can communicate over the L3VPN.
1. Configure a routing protocol on PE1, the P, and PE2 to ensure Layer 3 connectivity.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on PE1, the P, and PE2 and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Configure VPN instances and QinQ VLAN tag termination sub-interfaces on PE1 and PE2, bind these sub-interfaces to the VPN instances to provide L3VPN access.
4. Establish a Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationship between the PEs so that users in the same VPN instance can communicate.
5. Establish External BGP (EBGP) peer relationships between the PEs and CEs to exchange VPN routes so that the CEs can communicate.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers to the CEs
VLAN IDs in the outer VLAN tags of packets sent by Device A to PE1 and packets sent by Device B to PE2
Names and IP addresses of the interfaces that connect the PEs and the routers
Names and IP addresses of the interfaces that connect PE1 and PE2
MPLS LSR IDs of the PEs and P, names of VPN instances on the PEs, and VPN targets of VPN routes

Procedure

Configure Layer 2 forwarding on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 10

[*CE1-vlan10] quit

[*CE1] interface gigabitethernet 0/2/1

[*CE1-GigabitEthernet0/2/1] undo shutdown

[*CE1-GigabitEthernet0/2/1] quit

[*CE1] interface gigabitethernet 0/2/1.1

[*CE1-GigabitEthernet0/2/1.1] ip address 10.1.1.2 24

[*CE1-GigabitEthernet0/2/1.1] vlan-type dot1q 10

[*CE1-GigabitEthernet0/2/1.1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/2/1

[*CE2-GigabitEthernet0/2/1] undo shutdown

[*CE2-GigabitEthernet0/2/1] quit

[*CE2] interface gigabitethernet 0/2/1.1

[*CE2-GigabitEthernet0/2/1.1] ip address 10.2.1.2 24

[*CE2-GigabitEthernet0/2/1.1] vlan-type dot1q 10

[*CE2-GigabitEthernet0/2/1.1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 20

[*CE3-vlan20] quit

[*CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] undo shutdown

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] interface gigabitethernet 0/2/1.1

[*CE3-GigabitEthernet0/2/1.1] ip address 10.3.1.2 24

[*CE3-GigabitEthernet0/2/1.1] vlan-type dot1q 20

[*CE3-GigabitEthernet0/2/1.1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] vlan 20

[*CE4-vlan20] quit

[*CE4] interface gigabitethernet 0/2/1

[*CE4-GigabitEthernet0/2/1] undo shutdown

[*CE4-GigabitEthernet0/2/1] quit

[*CE4] interface gigabitethernet 0/2/1.1

[*CE4-GigabitEthernet0/2/1.1] ip address 10.4.1.2 24

[*CE4-GigabitEthernet0/2/1.1] vlan-type dot1q 20

[*CE4-GigabitEthernet0/2/1.1] quit

[*CE4] commit

Configure the QinQ and Layer 2 forwarding functions on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan 100

[*DeviceA-vlan100] quit

[*DeviceA] interface gigabitethernet 0/2/1

[*DeviceA-GigabitEthernet0/2/1] undo shutdown

[*DeviceA-GigabitEthernet0/2/1] portswitch

[*DeviceA-GigabitEthernet0/2/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceA-GigabitEthernet0/2/1] quit

[*DeviceA] interface gigabitethernet 0/2/2

[*DeviceA-GigabitEthernet0/2/2] undo shutdown

[*DeviceA-GigabitEthernet0/2/2] portswitch

[*DeviceA-GigabitEthernet0/2/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceA-GigabitEthernet0/2/2] quit

[*DeviceA] interface gigabitethernet 0/2/3

[*DeviceA-GigabitEthernet0/2/3] undo shutdown

[*DeviceA-GigabitEthernet0/2/3] portswitch

[*DeviceA-GigabitEthernet0/2/3] port link-type trunk

[*DeviceA-GigabitEthernet0/2/3] port trunk allow-pass vlan 100

[*DeviceA-GigabitEthernet0/2/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan 100

[*DeviceB-vlan100] quit

[*DeviceB] interface gigabitethernet 0/2/1

[*DeviceB-GigabitEthernet0/2/1] undo shutdown

[*DeviceB-GigabitEthernet0/2/1] portswitch

[*DeviceB-GigabitEthernet0/2/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceB-GigabitEthernet0/2/1] quit

[*DeviceB] interface gigabitethernet 0/2/2

[*DeviceB-GigabitEthernet0/2/2] undo shutdown

[*DeviceB-GigabitEthernet0/2/2] portswitch

[*DeviceB-GigabitEthernet0/2/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceB-GigabitEthernet0/2/2] quit

[*DeviceB] interface gigabitethernet 0/2/3

[*DeviceB-GigabitEthernet0/2/3] undo shutdown

[*DeviceB-GigabitEthernet0/2/3] portswitch

[*DeviceB-GigabitEthernet0/2/3] port link-type trunk

[*DeviceB-GigabitEthernet0/2/3] port trunk allow-pass vlan 100

[*DeviceB-GigabitEthernet0/2/3] quit

[*DeviceB] commit

If the device does not support the port vlan-stacking command, you can run the port link-type dot1q-tunnel command and port default vlan command on the interface to configure the QinQ function.

Configure an L3VPN.

Configure OSPF on PE1, the P, and PE2.

Assign an IP address to each interface on the PEs and P. Make sure that the 32-bit loopback addresses of PE1, the P, and PE2 are advertised after OSPF is enabled.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/2/2] undo shutdown

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure the P.

<HUAWEI> system-view

[~HUAWEI] sysname P

[*HUAWEI] commit

[~P] interface LoopBack 1

[*P-LoopBack1] ip address 2.2.2.9 32

[*P-LoopBack1] quit

[*P] interface gigabitethernet 0/2/1

[*P-GigabitEthernet0/2/1] ip address 192.168.1.2 24

[*P-GigabitEthernet0/2/1] undo shutdown

[*P-GigabitEthernet0/2/1] quit

[*P] interface gigabitethernet 0/2/2

[*P-GigabitEthernet0/2/2] ip address 192.168.2.1 24

[*P-GigabitEthernet0/2/2] undo shutdown

[*P-GigabitEthernet0/2/2] quit

[*P] ospf

[*P-ospf-1] area 0

[*P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*P-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*P-ospf-1-area-0.0.0.0] quit

[*P-ospf-1] quit

[*P] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface loopback 1

[*PE2-LoopBack1] ip address 3.3.3.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] ip address 192.168.2.2 24

[*PE2-GigabitEthernet0/2/2] undo shutdown

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

After the configurations are complete, PE1 and PE2 have OSPF routes to the loopback interface of each other. PE1 and PE2 can ping each other.

The following example uses the command output on PE1.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 11       Routes : 11

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/2/2
        3.3.3.9/32  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/2/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
    192.168.2.0/24  OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=2 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/5 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] mpls

[*PE1-GigabitEthernet0/2/2] mpls ldp

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] commit

# Configure the P.

[~P] mpls lsr-id 2.2.2.9

[*P] mpls

[*P-mpls] quit

[*P] mpls ldp

[*P-mpls-ldp] quit

[*P] interface gigabitethernet0/2/1

[*P-GigabitEthernet0/2/1] mpls

[*P-GigabitEthernet0/2/1] mpls ldp

[*P-GigabitEthernet0/2/1] quit

[*P] interface gigabitethernet0/2/2

[*P-GigabitEthernet0/2/2] mpls

[*P-GigabitEthernet0/2/2] mpls ldp

[*P-GigabitEthernet0/2/2] quit

[*P] commit

# Configure PE2.

[~PE2] mpls lsr-id 3.3.3.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] mpls

[*PE2-GigabitEthernet0/2/2] mpls ldp

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] commit

The following example uses the command output on PE1.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
  An asterisk (*) before a session means the session is being deleted.
-------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0         Operational  DU   Passive  0000:00:00   5/5
 3.3.3.9:0         Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

Configure VPN instances and bind the VPN instances to the QinQ VLAN tag termination sub-interface.

# Configure PE1.

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1-vpn-instance-vpn1] quit

[*PE1] interface gigabitethernet 0/2/1

[*PE1-GigabitEthernet0/2/1] undo shutdown

[*PE1-GigabitEthernet0/2/1] quit

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/2/1.1] ip address 10.1.1.1 24

[*PE1-GigabitEthernet0/2/1.1] arp broadcast enable

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 200:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] quit

[*PE1-vpn-instance-vpn2] quit

[*PE1] interface gigabitethernet 0/2/1.2

[*PE1-GigabitEthernet0/2/1.2] control-vid 2 qinq-termination

[*PE1-GigabitEthernet0/2/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/2/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/2/1.2] ip address 10.3.1.1 24

[*PE1-GigabitEthernet0/2/1.2] arp broadcast enable

[*PE1-GigabitEthernet0/2/1.2] quit

[*PE1] commit

# Configure PE2.

[~PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] quit

[*PE2-vpn-instance-vpn1] quit

[*PE2] interface gigabitethernet 0/2/1

[*PE2-GigabitEthernet0/2/1] undo shutdown

[*PE2-GigabitEthernet0/2/1] quit

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*PE2-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/2/1.1] ip address 10.2.1.1 24

[*PE2-GigabitEthernet0/2/1.1] arp broadcast enable

[*PE2-GigabitEthernet0/2/1.1] quit

[*PE2] ip vpn-instance vpn2

[*PE2-vpn-instance-vpn2] route-distinguisher 200:2

[*PE2-vpn-instance-vpn2-af-ipv4] vpn-target 200:2 both

[*PE2-vpn-instance-vpn2-af-ipv4] quit

[*PE2-vpn-instance-vpn2] quit

[*PE2] interface gigabitethernet 0/2/1.2

[*PE2-GigabitEthernet0/2/1.2] control-vid 2 qinq-termination

[*PE2-GigabitEthernet0/2/1.2] qinq termination pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/2/1.2] ip binding vpn-instance vpn2

[*PE2-GigabitEthernet0/2/1.2] ip address 10.4.1.1 24

[*PE2-GigabitEthernet0/2/1.2] arp broadcast enable

[*PE2-GigabitEthernet0/2/1.2] quit

When you run the qinq termination command on an interface, if the pe-vid values of the two different sub-interfaces are the same, make sure that the ce-vid values are different.

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

Use the command output on PE1 as an example.

[~PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0

 VPN-Instance Name and ID : vpn1, 1
  Interfaces : GigabitEthernet0/2/1.1
 Address family ipv4
  Create date : 2012-07-18 14:34:48
  Up time : 0 days, 00 hours, 07 minutes and 54 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets : 100:1
  Import VPN Targets : 100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

 VPN-Instance Name and ID : vpn2, 2
  Interfaces : GigabitEthernet0/2/1.2
 Address family ipv4
  Create date : 2012-07-18 14:38:44
  Up time : 0 days, 00 hours, 03 minutes and 58 seconds
  Route Distinguisher : 200:2
  Export VPN Targets : 200:2
  Import VPN Targets : 200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

Set up an MP-IBGP peer relationship between the PEs.

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] peer 3.3.3.9 as-number 100

[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1

[*PE1-bgp] ipv4-family vpnv4

[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[*PE1-bgp-af-vpnv4] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] peer 1.1.1.9 as-number 100

[*PE2-bgp] peer 1.1.1.9 connect-interface loopback 1

[*PE2-bgp] ipv4-family vpnv4

[*PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[*PE2-bgp-af-vpnv4] quit

[*PE2-bgp] quit

[*PE2] commit

[~PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State   PrefRcv
  3.3.3.9         4         100        4        4     0 00:00:33 Established    0

Set up EBGP peer relationships between the PEs and CEs and import VPN routes.

# Configure CE1.

[~CE1] bgp 65410

[*CE1-bgp] peer 10.1.1.1 as-number 100

[*CE1-bgp] import-route direct

[*CE1-bgp] quit

[*CE1] commit

# Configure CE2.

[~CE2] bgp 65420

[*CE2-bgp] peer 10.2.1.1 as-number 100

[*CE2-bgp] import-route direct

[*CE2-bgp] quit

[*CE2] commit

# Configure CE3.

[~CE3] bgp 65411

[*CE3-bgp] peer 10.3.1.1 as-number 100

[*CE3-bgp] import-route direct

[*CE3-bgp] quit

[*CE3] commit

# Configure CE4.

[~CE4] bgp 65421

[*CE4-bgp] peer 10.4.1.1 as-number 100

[*CE4-bgp] import-route direct

[*CE4-bgp] quit

[*CE4] commit

# Configure PE1.

[*PE1] bgp 100

[*PE1-bgp] ipv4-family vpn-instance vpn1

[*PE1-bgp-vpn1] peer 10.1.1.2 as-number 65410

[*PE1-bgp-vpn1] import-route direct

[*PE1-bgp-vpn1] quit

[*PE1-bgp] ipv4-family vpn-instance vpn2

[*PE1-bgp-vpn2] peer 10.3.1.2 as-number 65411

[*PE1-bgp-vpn2] import-route direct

[*PE1-bgp-vpn2] quit

[*PE1-bgp] quit

[*PE1] commit

# Configure PE2.

[~PE2] bgp 100

[*PE2-bgp] ipv4-family vpn-instance vpn1

[*PE2-bgp-vpn1] peer 10.2.1.2 as-number 65420

[*PE2-bgp-vpn1] import-route direct

[*PE2-bgp-vpn1] quit

[*PE2-bgp] ipv4-family vpn-instance vpn2

[*PE2-bgp-vpn2] peer 10.4.1.2 as-number 65421

[*PE2-bgp-vpn2] import-route direct

[*PE2-bgp-vpn2] quit

[*PE2-bgp] quit

[*PE2] commit

Use the BGP peer relationship between PE1 and CE1 as an example.

[~PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9
Local AS number : 100

 VPN-Instance vpn1, router ID 1.1.1.9:
 Total number of peers : 1                 Peers in established state : 1

  Peer            V          AS    MsgRcvd  MsgSent  OutQ  Up/Down     State         PrefRcv
  10.1.1.2        4         65410     6        7       0 00:02:58      Established    1

After the configurations are complete, the PEs can ping the CEs connected to them.

The following example uses the command output on PE1.

[*PE1] ping -vpn-instance vpn1 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=60 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/54/60 ms

Verify the configuration.

Run the display qinq information termination command to view information about QinQ VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the L3VPN.

Use the command output on PE1 as an example.

[*PE1] display qinq information termination interface gigabitethernet 0/2/1

  GigabitEthernet0/2/1.1
    L3VPN bound
    Total QinQ Num: 1
      qinq termination pe-vid 100 ce-vid 10
    Total vlan-group Num: 0
    encapsulation qinq-termination
  GigabitEthernet0/2/1.2
    L3VPN bound
    Total QinQ Num: 1
      qinq termination pe-vid 100 ce-vid 20
    Total vlan-group Num: 0
    encapsulation qinq-termination

Verify that the following conditions are true:

a. Hosts attached to CE1 and CE2 can ping each other.

b. Hosts attached to CE3 and CE4 can ping each other.

c. CE1 and CE2 cannot communicate with CE3 and CE4.

On the PEs, you can view the corresponding ARP entries. Use PE1 as an example.

[*PE1] display arp slot 2

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  VLAN/CEVLAN PVC
------------------------------------------------------------------------------------------------------
192.168.1.1     00e0-fc12-3458            I -         GE0/2/2
192.168.1.2     00e0-fc12-3457  20        D-9         GE0/2/2
10.1.1.1        00e0-fc12-3459            I -         GE0/2/1.1       vpn1
10.1.1.2        00e0-fc12-3456  20        D-9         GE0/2/1.1       vpn1            100/10
10.3.1.1        00e0-fc12-3459            I -         GE0/2/1.2       vpn2
10.3.1.2        00e0-fc12-3456  20        D-9         GE0/2/1.2       vpn2            100/20
-----------------------------------------------------------------------------------------------------
Total:6         Dynamic:3       Static:0    Interface:3

Configuration Files

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 10
 ip address 10.1.1.2 255.255.255.0
#
bgp 65410
 peer 10.1.1.1 as-number 100
 #
 ipv4-family unicast
 undo synchronization 
 import-route direct
  peer 10.1.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 20
 ip address 10.3.1.2 255.255.255.0
#
bgp 65420
 peer 10.2.1.1 as-number 100
 #
 ipv4-family unicast
 undo synchronization 
 import-route direct
  peer 10.2.1.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 10
 ip address 10.2.1.2 255.255.255.0
#
bgp 65411
 peer 10.3.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.1 enable
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 20
 ip address 10.4.1.2 255.255.255.0
#
bgp 65421
 peer 10.4.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.4.1.1 enable
#
return

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 arp broadcast enable
#
interface GigabitEthernet0/2/1.2
 ip binding vpn-instance vpn2
 ip address 10.3.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 arp broadcast enable
#
interface GigabitEthernet0/2/2
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.1.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.3.1.2 as-number 65411
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

P configuration file

#
 sysname P
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn2
 route-distinguisher 200:2
 apply-label per-instance
 vpn-target 200:2 export-extcommunity
 vpn-target 200:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn1
 ip address 10.2.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 10
 arp broadcast enable
#
interface GigabitEthernet0/2/1.2
 ip binding vpn-instance vpn2
 ip address 10.4.1.1 255.255.255.0
 encapsulation qinq-termination
 qinq termination pe-vid 100 ce-vid 20
 arp broadcast enable
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 10.2.1.2 as-number 65420
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 10.4.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.2.0 0.0.0.255
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 100
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 100
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Example for Configuring a Dot1q VLAN Tag Termination Sub-interface to Access an L2VPN

This section describes how to configure a dot1q VLAN tag termination sub-interface to provide Layer 2 virtual private network (L2VPN) access and how to ensure that users communicate over the L2VPN using single-tagged packets.

Networking Requirements

When a VLAN tag termination sub-interface is used to access a L2VPN network, this sub-interface needs to be bound to a Virtual Switching Instance (VSI) or virtual private wire service (VPWS) to enable Layer 2 communication.

On the network shown in Figure 1-391, the CEs connect to the PEs through the routers, and the routers access the L2VPN through dot1q VLAN tag termination sub-interfaces. Packets sent by the routers to the PEs carry one VLAN tag. To implement interworking between CEs 1 through 6, dot1q VLAN tag termination sub-interfaces need to be configured on PE1, PE2, and PE3 and bound to a VSI or VPWS to access the L2VPN.

Figure 1-391 Typical networking for configuring the dot1q VLAN tag termination sub-interface to access an L2VPN

Interfaces 1 through 3 and subinterface1.1 in this example represent GE0/2/1, GE0/2/2, GE0/2/3, and GE0/2/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using dot1q VLAN tag termination sub-interfaces so that CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as dot1q VLAN tag termination sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses for interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs on the routers and determine the VLANs to which users belong.
Configure the Layer 2 forwarding function on the routers and CEs so that the packets sent from the routers to the PEs carry one VLAN tag.
Configure a VPLS network and dot1q VLAN tag termination sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and dot1q VLAN tag termination sub-interfaces on the PEs, and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names and IP addresses of the interfaces that connect the routers to the CEs
Names and IP addresses of the interfaces that connect the PEs to the routers
Names and IP addresses of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure IP addresses for interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/2/1

[*CE1-GigabitEthernet0/2/1] undo shutdown

[*CE1-GigabitEthernet0/2/1] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/2/1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/2/1

[*CE2-GigabitEthernet0/2/1] undo shutdown

[*CE2-GigabitEthernet0/2/1] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/2/1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] undo shutdown

[*CE3-GigabitEthernet0/2/1] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/2/1

[*CE4-GigabitEthernet0/2/1] undo shutdown

[*CE4-GigabitEthernet0/2/1] ip address 10.1.1.4 24

[*CE4-GigabitEthernet0/2/1] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] interface gigabitethernet 0/2/1

[*CE5-GigabitEthernet0/2/1] undo shutdown

[*CE5-GigabitEthernet0/2/1] ip address 10.1.1.5 24

[*CE5-GigabitEthernet0/2/1] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] interface gigabitethernet 0/2/1

[*CE6-GigabitEthernet0/2/1] undo shutdown

[*CE6-GigabitEthernet0/2/1] ip address 10.1.1.6 24

[*CE6-GigabitEthernet0/2/1] quit

[*CE6] commit

Create VLANs on the routers and associate Layer 2 interfaces with the VLANs.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/2/1

[*DeviceA-GigabitEthernet0/2/1] undo shutdown

[*DeviceA-GigabitEthernet0/2/1] portswitch

[*DeviceA-GigabitEthernet0/2/1] port link-type access

[*DeviceA-GigabitEthernet0/2/1] port default vlan 10

[*DeviceA-GigabitEthernet0/2/1] quit

[*DeviceA] interface gigabitethernet 0/2/2

[*DeviceA-GigabitEthernet0/2/2] undo shutdown

[*DeviceA-GigabitEthernet0/2/2] portswitch

[*DeviceA-GigabitEthernet0/2/2] port link-type access

[*DeviceA-GigabitEthernet0/2/2] port default vlan 20

[*DeviceA-GigabitEthernet0/2/2] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/2/1

[*DeviceB-GigabitEthernet0/2/1] undo shutdown

[*DeviceB-GigabitEthernet0/2/1] portswitch

[*DeviceB-GigabitEthernet0/2/1] port link-type access

[*DeviceB-GigabitEthernet0/2/1] port default vlan 10

[*DeviceB-GigabitEthernet0/2/1] quit

[*DeviceB] interface gigabitethernet 0/2/2

[*DeviceB-GigabitEthernet0/2/2] undo shutdown

[*DeviceB-GigabitEthernet0/2/2] portswitch

[*DeviceB-GigabitEthernet0/2/2] port link-type access

[*DeviceB-GigabitEthernet0/2/2] port default vlan 20

[*DeviceB-GigabitEthernet0/2/2] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan batch 10 20

[*DeviceC] interface gigabitethernet 0/2/1

[*DeviceC-GigabitEthernet0/2/1] undo shutdown

[*DeviceC-GigabitEthernet0/2/1] portswitch

[*DeviceC-GigabitEthernet0/2/1] port link-type access

[*DeviceC-GigabitEthernet0/2/1] port default vlan 10

[*DeviceC-GigabitEthernet0/2/1] quit

[*DeviceC] interface gigabitethernet 0/2/2

[*DeviceC-GigabitEthernet0/2/2] undo shutdown

[*DeviceC-GigabitEthernet0/2/2] portswitch

[*DeviceC-GigabitEthernet0/2/2] port link-type access

[*DeviceC-GigabitEthernet0/2/2] port default vlan 20

[*DeviceC-GigabitEthernet0/2/2] quit

[*DeviceC] commit

Configure the Layer 2 forwarding function.

# Configure Device A.

[~DeviceA] interface gigabitethernet 0/2/3

[*DeviceA-GigabitEthernet0/2/3] undo shutdown

[*DeviceA-GigabitEthernet0/2/3] portswitch

[*DeviceA-GigabitEthernet0/2/3] port link-type trunk

[*DeviceA-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/2/3] quit

[*DeviceA] commit

# Configure Device B.

[~DeviceB] interface gigabitethernet 0/2/3

[*DeviceB-GigabitEthernet0/2/3] undo shutdown

[*DeviceB-GigabitEthernet0/2/3] portswitch

[*DeviceB-GigabitEthernet0/2/3] port link-type trunk

[*DeviceB-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/2/3] quit

[*DeviceB] commit

# Configure Device C.

[~DeviceC] interface gigabitethernet 0/2/3

[*DeviceC-GigabitEthernet0/2/3] undo shutdown

[*DeviceC-GigabitEthernet0/2/3] portswitch

[*DeviceC-GigabitEthernet0/2/3] port link-type trunk

[*DeviceC-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceC-GigabitEthernet0/2/3] quit

[*DeviceC] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] ip address 192.168.1.1 30

[*PE1-GigabitEthernet0/2/2] undo shutdown

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] ip address 192.168.3.1 30

[*PE1-GigabitEthernet0/2/3] undo shutdown

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] ip address 192.168.2.2 30

[*PE2-GigabitEthernet0/2/2] undo shutdown

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet 0/2/3

[*PE2-GigabitEthernet0/2/3] ip address 192.168.3.2 30

[*PE2-GigabitEthernet0/2/3] undo shutdown

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] ip address 192.168.1.2 30

[*PE3-GigabitEthernet0/2/2] undo shutdown

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] ip address 192.168.2.1 30

[*PE3-GigabitEthernet0/2/3] undo shutdown

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

The following example uses the command output on PE1.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/2/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/2/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/2/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/2/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] mpls

[*PE1-GigabitEthernet0/2/2] mpls ldp

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] mpls

[*PE1-GigabitEthernet0/2/3] mpls ldp

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/2/2

[*PE2-GigabitEthernet0/2/2] mpls

[*PE2-GigabitEthernet0/2/2] mpls ldp

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet0/2/3

[*PE2-GigabitEthernet0/2/3] mpls

[*PE2-GigabitEthernet0/2/3] mpls ldp

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] mpls

[*PE3-GigabitEthernet0/2/2] mpls ldp

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] mpls

[*PE3-GigabitEthernet0/2/3] mpls ldp

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] commit

After the configurations are complete, LDP sessions are set up between between PE1 and PE2, and between PE1 and PE3. Run the display mpls ldp session command. The command output shows that the LDP session status is Operational.

The following example uses the command output on PE1.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and bind the dot1q VLAN tag termination sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE1-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE1-GigabitEthernet0/2/1.1] dot1q termination vid 20

[*PE1-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE2-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE2-GigabitEthernet0/2/1.1] dot1q termination vid 20

[*PE2-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/2/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/2/1.1

[*PE3-GigabitEthernet0/2/1.1] control-vid 1 dot1q-termination

[*PE3-GigabitEthernet0/2/1.1] dot1q termination vid 10

[*PE3-GigabitEthernet0/2/1.1] dot1q termination vid 20

[*PE3-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE3-GigabitEthernet0/2/1.1] quit

[*PE3] commit

When you run the dot1q termination command on an interface, make sure that the VLAN tag values of the two different sub-interfaces are different.

After the configurations are complete, run the display vsi name ldp1 verbose command on PE1. The command output shows that PWs to PE2 and PE3 are set up on the VSI named ldp1 and that the VSI status is up.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1
    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/2/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display dot1q information termination interface command to view information about the dot1q VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

The following example uses the command output on PE1.

[*PE1] display dot1q information termination interface gigabitethernet 0/2/1.1

  GigabitEthernet0/2/1.1
    VSI bound
    Total QinQ Num: 2
      dot1q  termination vid 10
      dot1q  termination vid 20
    Total vlan-group Num: 0
    encapsulation dot1q-termination

Hosts attached to CE1, CE2, and CE3 can ping each other.

[~CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[~CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation dot1q-termination
 dot1q termination vid 10
 dot1q termination vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.4 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.5 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.1.1.6 255.255.255.0
#
return

Example for Configuring a QinQ VLAN Tag Termination Sub-interface to Access an L2VPN

This example shows how to configure the QinQ VLAN tag termination sub-interface to access a Layer 2 virtual private network (L2VPN). This configuration ensures that users communicate over the L2VPN using double-tagged packets.

Networking Requirements

On the network shown in Figure 1-392, the CEs connect to the PEs through routers, and the routers access the L2VPN through QinQ VLAN tag termination sub-interfaces. The packets sent from the routers to the PEs carry two VLAN tags. QinQ VLAN tag termination sub-interfaces need to be configured on PE1, PE2, and PE3 and bound to VSIs or L2VCs to access the L2VPN, implementing interworking between CEs 1 through 6.

Figure 1-392 Typical networking for configuring the QinQ VLAN tag termination sub-interface to access an L2VPN

Interfaces 1 through 3 and sub-interface 1.1 in this example represent GE 0/2/1, GE 0/2/2, GE 0/2/3, and GE 0/2/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using QinQ VLAN tag termination sub-interfaces so that CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as QinQ VLAN tag termination sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Layer 2 forwarding function on the CEs so that the packets sent by the CEs to the routers carry one VLAN tag.
Configure the QinQ and Layer 2 forwarding functions on the routers so that the packets sent by the routers to the PEs carry two VLAN tags.
Configure a VPLS network and QinQ VLAN tag termination sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and QinQ VLAN tag termination sub-interfaces on the PEs, and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Outer VLAN tag in the packets sent from the routers to the PEs
Names of the interfaces that connect the routers and the CEs, names of the interfaces that connect the PEs and the routers, and names and IP addresses of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure the Layer 2 forwarding function on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] vlan 10

[*CE1-vlan10] quit

[*CE1] interface gigabitethernet 0/2/1

[*CE1-GigabitEthernet0/2/1] undo shutdown

[*CE1-GigabitEthernet0/2/1] quit

[*CE1] interface gigabitethernet 0/2/1.1

[*CE1-GigabitEthernet0/2/1.1] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/2/1.1] vlan-type dot1q 10

[*CE1-GigabitEthernet0/2/1.1] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] vlan 10

[*CE2-vlan10] quit

[*CE2] interface gigabitethernet 0/2/1

[*CE2-GigabitEthernet0/2/1] undo shutdown

[*CE2-GigabitEthernet0/2/1] quit

[*CE2] interface gigabitethernet 0/2/1.1

[*CE2-GigabitEthernet0/2/1.1] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/2/1.1] vlan-type dot1q 10

[*CE2-GigabitEthernet0/2/1.1] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] vlan 10

[*CE3-vlan10] quit

[*CE3] interface gigabitethernet 0/2/1

[*CE3-GigabitEthernet0/2/1] undo shutdown

[*CE3-GigabitEthernet0/2/1] quit

[*CE3] interface gigabitethernet 0/2/1.1

[*CE3-GigabitEthernet0/2/1.1] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/2/1.1] vlan-type dot1q 10

[*CE3-GigabitEthernet0/2/1.1] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] vlan 20

[*CE4-vlan20] quit

[*CE4] interface gigabitethernet 0/2/1

[*CE4-GigabitEthernet0/2/1] undo shutdown

[*CE4-GigabitEthernet0/2/1] quit

[*CE4] interface gigabitethernet 0/2/1.1

[*CE4-GigabitEthernet0/2/1.1] ip address 10.2.1.1 24

[*CE4-GigabitEthernet0/2/1.1] vlan-type dot1q 20

[*CE4-GigabitEthernet0/2/1.1] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] vlan 20

[*CE5-vlan20] quit

[*CE5] interface gigabitethernet 0/2/1

[*CE5-GigabitEthernet0/2/1] undo shutdown

[*CE5-GigabitEthernet0/2/1] quit

[*CE5] interface gigabitethernet 0/2/1.1

[*CE5-GigabitEthernet0/2/1.1] ip address 10.2.1.2 24

[*CE5-GigabitEthernet0/2/1.1] vlan-type dot1q 20

[*CE5-GigabitEthernet0/2/1.1] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] vlan 20

[*CE6-vlan20] quit

[*CE6] interface gigabitethernet 0/2/1

[*CE6-GigabitEthernet0/2/1] undo shutdown

[*CE6-GigabitEthernet0/2/1] quit

[*CE6] interface gigabitethernet 0/2/1.1

[*CE6-GigabitEthernet0/2/1.1] ip address 10.2.1.3 24

[*CE6-GigabitEthernet0/2/1.1] vlan-type dot1q 20

[*CE6-GigabitEthernet0/2/1.1] quit

[*CE6] commit

Configure the QinQ and Layer 2 forwarding functions on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan 100

[*DeviceA-vlan100] quit

[*DeviceA] interface gigabitethernet 0/2/1

[*DeviceA-GigabitEthernet0/2/1] undo shutdown

[*DeviceA-GigabitEthernet0/2/1] portswitch

[*DeviceA-GigabitEthernet0/2/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceA-GigabitEthernet0/2/1] quit

[*DeviceA] interface gigabitethernet 0/2/2

[*DeviceA-GigabitEthernet0/2/2] undo shutdown

[*DeviceA-GigabitEthernet0/2/2] portswitch

[*DeviceA-GigabitEthernet0/2/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceA-GigabitEthernet0/2/2] quit

[*DeviceA] interface gigabitethernet 0/2/3

[*DeviceA-GigabitEthernet0/2/3] undo shutdown

[*DeviceA-GigabitEthernet0/2/3] portswitch

[*DeviceA-GigabitEthernet0/2/3] port link-type trunk

[*DeviceA-GigabitEthernet0/2/3] port trunk allow-pass vlan 100

[*DeviceA-GigabitEthernet0/2/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan 100

[*DeviceB-vlan100] quit

[*DeviceB] interface gigabitethernet 0/2/1

[*DeviceB-GigabitEthernet0/2/1] undo shutdown

[*DeviceB-GigabitEthernet0/2/1] portswitch

[*DeviceB-GigabitEthernet0/2/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceB-GigabitEthernet0/2/1] quit

[*DeviceB] interface gigabitethernet 0/2/2

[*DeviceB-GigabitEthernet0/2/2] undo shutdown

[*DeviceB-GigabitEthernet0/2/2] portswitch

[*DeviceB-GigabitEthernet0/2/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceB-GigabitEthernet0/2/2] quit

[*DeviceB] interface gigabitethernet 0/2/3

[*DeviceB-GigabitEthernet0/2/3] undo shutdown

[*DeviceB-GigabitEthernet0/2/3] portswitch

[*DeviceB-GigabitEthernet0/2/3] port link-type trunk

[*DeviceB-GigabitEthernet0/2/3] port trunk allow-pass vlan 100

[*DeviceB-GigabitEthernet0/2/3] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan 100

[*DeviceC-vlan100] quit

[*DeviceC] interface gigabitethernet 0/2/1

[*DeviceC-GigabitEthernet0/2/1] undo shutdown

[*DeviceC-GigabitEthernet0/2/1] portswitch

[*DeviceC-GigabitEthernet0/2/1] port vlan-stacking vlan 10 stack-vlan 100

[*DeviceC-GigabitEthernet0/2/1] quit

[*DeviceC] interface gigabitethernet 0/2/2

[*DeviceC-GigabitEthernet0/2/2] undo shutdown

[*DeviceC-GigabitEthernet0/2/2] portswitch

[*DeviceC-GigabitEthernet0/2/2] port vlan-stacking vlan 20 stack-vlan 100

[*DeviceC-GigabitEthernet0/2/2] quit

[*DeviceC] interface gigabitethernet 0/2/3

[*DeviceC-GigabitEthernet0/2/3] undo shutdown

[*DeviceC-GigabitEthernet0/2/3] portswitch

[*DeviceC-GigabitEthernet0/2/3] port link-type trunk

[*DeviceC-GigabitEthernet0/2/3] port trunk allow-pass vlan 100

[*DeviceC-GigabitEthernet0/2/3] quit

[*DeviceC] commit

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] ip address 192.168.1.1 30

[*PE1-GigabitEthernet0/2/2] undo shutdown

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] ip address 192.168.3.1 30

[*PE1-GigabitEthernet0/2/3] undo shutdown

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] ip address 192.168.2.2 30

[*PE2-GigabitEthernet0/2/2] undo shutdown

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet 0/2/3

[*PE2-GigabitEthernet0/2/3] ip address 192.168.3.2 30

[*PE2-GigabitEthernet0/2/3] undo shutdown

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] ip address 192.168.1.2 30

[*PE3-GigabitEthernet0/2/2] undo shutdown

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] ip address 192.168.2.1 30

[*PE3-GigabitEthernet0/2/3] undo shutdown

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

The following example uses the command output on PE1.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/2/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/2/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/2/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/2/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] mpls

[*PE1-GigabitEthernet0/2/2] mpls ldp

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] mpls

[*PE1-GigabitEthernet0/2/3] mpls ldp

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/2/2

[*PE2-GigabitEthernet0/2/2] mpls

[*PE2-GigabitEthernet0/2/2] mpls ldp

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet0/2/3

[*PE2-GigabitEthernet0/2/3] mpls

[*PE2-GigabitEthernet0/2/3] mpls ldp

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] mpls

[*PE3-GigabitEthernet0/2/2] mpls ldp

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] mpls

[*PE3-GigabitEthernet0/2/3] mpls ldp

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] commit

The following example uses the command output on PE1.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and bind the QinQ VLAN tag termination sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*PE1-GigabitEthernet0/2/1.1] qinq termination l2 symmetry

[*PE1-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE1-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE1-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*PE2-GigabitEthernet0/2/1.1] qinq termination l2 symmetry

[*PE2-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE2-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE2-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/2/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/2/1.1

[*PE3-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination

[*PE3-GigabitEthernet0/2/1.1] qinq termination l2 symmetry

[*PE3-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10

[*PE3-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 20

[*PE3-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE3-GigabitEthernet0/2/1.1] quit

[*PE3] commit

When you run the qinq termination command on an interface, if the pe-vid values of the two different sub-interfaces are the same, make sure that the ce-vid values are different.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1
    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/2/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display qinq information termination interface command to view information about the QinQ VLAN tag termination sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

Use the command output on PE1 as an example.

[*PE1] display qinq information termination interface gigabitethernet 0/2/1

  GigabitEthernet0/2/1.1
    VSI bound
    qinq termination l2 symmetry
    Total QinQ Num: 2
      qinq termination pe-vid 100 ce-vid 10
      qinq termination pe-vid 100 ce-vid 20
    Total vlan-group Num: 0
    encapsulation qinq-termination

Hosts attached to CE1, CE2, and CE3 can ping each other.

[*CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[*CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 encapsulation qinq-termination
 qinq termination l2 symmetry
 qinq termination pe-vid 100 ce-vid 10
 qinq termination pe-vid 100 ce-vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 100
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 100
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 100
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port vlan-stacking vlan 20 stack-vlan 100
#
return

CE1 configuration file

#
 sysname CE1
#
 vlan batch 10
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 10
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
 vlan batch 10
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 10
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
 vlan batch 10
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 10
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
 vlan batch 20
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 20
 ip address 10.2.1.1 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
 vlan batch 20
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 20
 ip address 10.2.1.2 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
 vlan batch 20
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 vlan-type dot1q 20
 ip address 10.2.1.3 255.255.255.0
#
return

Example for Configuring a QinQ Stacking Sub-interface to Access an L2VPN

This example shows how to configure the QinQ stacking sub-interface to access a Layer 2 virtual private network (L2VPN). This configuration allows a physical interface to provide access services for multiple users.

Networking Requirements

On the network shown in Figure 1-393, CEs belong to different VLANs and are connected to PEs through routers. The packets sent from the CEs to the routers do not carry any VLAN tag, and the packets sent from the routers to the PEs carry one VLAN tag. QinQ stacking sub-interfaces need to be configured on the PEs and bound to a virtual switching instance (VSI) or a virtual private wire service (VPWS) to access an L2VPN, allowing the PEs to provide access services for multiple users and the CEs to communicate.

Figure 1-393 Typical networking for configuring the QinQ stacking sub-interface to access an L2VPN

Interfaces 1 through 3 and subinterface1.1 in this example represent GE0/2/1, GE0/2/2, GE0/2/3, and GE0/2/1.1, respectively.

Precautions

L2VPNs include VPWS and VPLS networks.

VPWS

VPWS is a point-to-point virtual leased line technology and supports almost all link layer protocols. VPWS simulates the traditional leased line services on IP networks and provides asymmetric and low-cost digital data network (DDN) services. For users on both ends of the leased line, VPWS is similar to the traditional leased line services.
VPLS

VPLS makes a multipoint-to-multipoint VPN networking possible. With VPLS, the carrier can transmit Ethernet-based multipoint-to-multipoint services for users over an MPLS backbone network.

A VPLS network is used in this example to describe how to access an L2VPN using QinQ stacking sub-interfaces so that PEs can provide access services for multiple users and CEs can communicate over the L2VPN. Configurations on a VPWS network are the same as those on a VPLS network except that the user-side sub-interfaces on PEs are configured as QinQ stacking sub-interfaces and bound to an L2VC to access the L2VPN.

Configuration Roadmap

The configuration roadmap is as follows:

Configure IP addresses for interfaces on the CEs. The packets sent from the CEs to the routers do not carry any VLAN tag.
Create VLANs and configure the Layer 2 forwarding function on the routers so that the packets sent from the routers to the PEs carry one VLAN tag.
Configure a VPLS network and QinQ stacking sub-interfaces on the PEs and bind these sub-interfaces to a VSI so that users can communicate over the VPLS network.
1. Configure a routing protocol on the PEs so that these devices can communicate on the Layer 3 network.
  
  Open Shortest Path First (OSPF) is used in this example.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP) on the PEs, and set up MPLS Label Switched Paths (LSPs) between these devices.
3. Enable MPLS L2VPN on the PEs globally.
4. Configure a VSI and QinQ stacking sub-interfaces on the PEs and bind these sub-interfaces to the VSI to access the L2VPN.

Data Preparation

To complete the configuration, you need the following data:

Users' VLAN IDs and IP addresses
Names of the interfaces that connect the routers and the CEs, names of the interfaces that connect the PEs and the routers, and names and IP addresses of the interfaces that connect the PEs
MPLS LSR IDs, VSI ID, VSI name, and name and IP address of each interface bound to the VSI on the PEs

Procedure

Configure IP addresses for interfaces on the CEs.

# Configure CE1.

<HUAWEI> system-view

[~HUAWEI] sysname CE1

[*HUAWEI] commit

[~CE1] interface gigabitethernet 0/2/3

[*CE1-GigabitEthernet0/2/3] undo shutdown

[*CE1-GigabitEthernet0/2/3] ip address 10.1.1.1 24

[*CE1-GigabitEthernet0/2/3] quit

[*CE1] commit

# Configure CE2.

<HUAWEI> system-view

[~HUAWEI] sysname CE2

[*HUAWEI] commit

[~CE2] interface gigabitethernet 0/2/3

[*CE2-GigabitEthernet0/2/3] undo shutdown

[*CE2-GigabitEthernet0/2/3] ip address 10.1.1.2 24

[*CE2-GigabitEthernet0/2/3] quit

[*CE2] commit

# Configure CE3.

<HUAWEI> system-view

[~HUAWEI] sysname CE3

[*HUAWEI] commit

[~CE3] interface gigabitethernet 0/2/3

[*CE3-GigabitEthernet0/2/3] undo shutdown

[*CE3-GigabitEthernet0/2/3] ip address 10.1.1.3 24

[*CE3-GigabitEthernet0/2/3] quit

[*CE3] commit

# Configure CE4.

<HUAWEI> system-view

[~HUAWEI] sysname CE4

[*HUAWEI] commit

[~CE4] interface gigabitethernet 0/2/3

[*CE4-GigabitEthernet0/2/3] undo shutdown

[*CE4-GigabitEthernet0/2/3] ip address 10.2.1.1 24

[*CE4-GigabitEthernet0/2/3] quit

[*CE4] commit

# Configure CE5.

<HUAWEI> system-view

[~HUAWEI] sysname CE5

[*HUAWEI] commit

[~CE5] interface gigabitethernet 0/2/3

[*CE5-GigabitEthernet0/2/3] undo shutdown

[*CE5-GigabitEthernet0/2/3] ip address 10.2.1.2 24

[*CE5-GigabitEthernet0/2/3] quit

[*CE5] commit

# Configure CE6.

<HUAWEI> system-view

[~HUAWEI] sysname CE6

[*HUAWEI] commit

[~CE6] interface gigabitethernet 0/2/3

[*CE6-GigabitEthernet0/2/3] undo shutdown

[*CE6-GigabitEthernet0/2/3] ip address 10.2.1.3 24

[*CE6-GigabitEthernet0/2/3] quit

[*CE6] commit

Create VLANs and configure the Layer 2 forwarding function on the routers.

# Configure Device A.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] vlan batch 10 20

[*DeviceA] interface gigabitethernet 0/2/1

[*DeviceA-GigabitEthernet0/2/1] undo shutdown

[*DeviceA-GigabitEthernet0/2/1] portswitch

[*DeviceA-GigabitEthernet0/2/1] port link-type access

[*DeviceA-GigabitEthernet0/2/1] port default vlan 10

[*DeviceA-GigabitEthernet0/2/1] quit

[*DeviceA] interface gigabitethernet 0/2/2

[*DeviceA-GigabitEthernet0/2/2] undo shutdown

[*DeviceA-GigabitEthernet0/2/2] portswitch

[*DeviceA-GigabitEthernet0/2/2] port link-type access

[*DeviceA-GigabitEthernet0/2/2] port default vlan 20

[*DeviceA-GigabitEthernet0/2/2] quit

[*DeviceA] interface gigabitethernet 0/2/3

[*DeviceA-GigabitEthernet0/2/3] undo shutdown

[*DeviceA-GigabitEthernet0/2/3] portswitch

[*DeviceA-GigabitEthernet0/2/3] port link-type trunk

[*DeviceA-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceA-GigabitEthernet0/2/3] quit

[*DeviceA] commit

# Configure Device B.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] vlan batch 10 20

[*DeviceB] interface gigabitethernet 0/2/1

[*DeviceB-GigabitEthernet0/2/1] undo shutdown

[*DeviceB-GigabitEthernet0/2/1] portswitch

[*DeviceB-GigabitEthernet0/2/1] port link-type access

[*DeviceB-GigabitEthernet0/2/1] port default vlan 10

[*DeviceB-GigabitEthernet0/2/1] quit

[*DeviceB] interface gigabitethernet 0/2/2

[*DeviceB-GigabitEthernet0/2/2] undo shutdown

[*DeviceB-GigabitEthernet0/2/2] portswitch

[*DeviceB-GigabitEthernet0/2/2] port link-type access

[*DeviceB-GigabitEthernet0/2/2] port default vlan 20

[*DeviceB-GigabitEthernet0/2/2] quit

[*DeviceB] interface gigabitethernet 0/2/3

[*DeviceB-GigabitEthernet0/2/3] undo shutdown

[*DeviceB-GigabitEthernet0/2/3] portswitch

[*DeviceB-GigabitEthernet0/2/3] port link-type trunk

[*DeviceB-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceB-GigabitEthernet0/2/3] quit

[*DeviceB] commit

# Configure Device C.

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] vlan batch 10 20

[*DeviceC] interface gigabitethernet 0/2/1

[*DeviceC-GigabitEthernet0/2/1] undo shutdown

[*DeviceC-GigabitEthernet0/2/1] portswitch

[*DeviceC-GigabitEthernet0/2/1] port link-type access

[*DeviceC-GigabitEthernet0/2/1] port default vlan 10

[*DeviceC-GigabitEthernet0/2/1] quit

[*DeviceC] interface gigabitethernet 0/2/2

[*DeviceC-GigabitEthernet0/2/2] undo shutdown

[*DeviceC-GigabitEthernet0/2/2] portswitch

[*DeviceC-GigabitEthernet0/2/2] port link-type access

[*DeviceC-GigabitEthernet0/2/2] port default vlan 20

[*DeviceC-GigabitEthernet0/2/2] quit

[*DeviceC] interface gigabitethernet 0/2/3

[*DeviceC-GigabitEthernet0/2/3] undo shutdown

[*DeviceC-GigabitEthernet0/2/3] portswitch

[*DeviceC-GigabitEthernet0/2/3] port link-type trunk

[*DeviceC-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20

[*DeviceC-GigabitEthernet0/2/3] quit

[*DeviceC] commit

If the interface is already a Layer 2 interface, do not run the portswitch command.

Configure a VPLS network.

Configure OSPF on the PEs.

Assign an IP address to each interface on each PE. After OSPF is enabled, the 32-bit loopback interface address of each PE must be advertised.

# Configure PE1.

<HUAWEI> system-view

[~HUAWEI] sysname PE1

[*HUAWEI] commit

[~PE1] interface loopback 1

[*PE1-LoopBack1] ip address 1.1.1.9 32

[*PE1-LoopBack1] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] ip address 192.168.1.1 30

[*PE1-GigabitEthernet0/2/2] undo shutdown

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] ip address 192.168.3.1 30

[*PE1-GigabitEthernet0/2/3] undo shutdown

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] ospf

[*PE1-ospf-1] area 0

[*PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[*PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE1-ospf-1-area-0.0.0.0] quit

[*PE1-ospf-1] quit

[*PE1] commit

# Configure PE2.

<HUAWEI> system-view

[~HUAWEI] sysname PE2

[*HUAWEI] commit

[~PE2] interface LoopBack 1

[*PE2-LoopBack1] ip address 2.2.2.9 32

[*PE2-LoopBack1] quit

[*PE2] interface gigabitethernet 0/2/2

[*PE2-GigabitEthernet0/2/2] ip address 192.168.2.2 30

[*PE2-GigabitEthernet0/2/2] undo shutdown

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet 0/2/3

[*PE2-GigabitEthernet0/2/3] ip address 192.168.3.2 30

[*PE2-GigabitEthernet0/2/3] undo shutdown

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] ospf

[*PE2-ospf-1] area 0

[*PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[*PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.3

[*PE2-ospf-1-area-0.0.0.0] quit

[*PE2-ospf-1] quit

[*PE2] commit

# Configure PE3.

<HUAWEI> system-view

[~HUAWEI] sysname PE3

[*HUAWEI] commit

[~PE3] interface loopback 1

[*PE3-LoopBack1] ip address 3.3.3.9 32

[*PE3-LoopBack1] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] ip address 192.168.1.2 30

[*PE3-GigabitEthernet0/2/2] undo shutdown

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] ip address 192.168.2.1 30

[*PE3-GigabitEthernet0/2/3] undo shutdown

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] ospf

[*PE3-ospf-1] area 0

[*PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[*PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[*PE3-ospf-1-area-0.0.0.0] quit

[*PE3-ospf-1] quit

[*PE3] commit

After the configurations are complete, PE1 and PE2 both have routes, discovered by OSPF, to loopback1 of each other. PE1 and PE3 also have routes, discovered by OSPF, to loopback1 of each other.

The following example uses the command output on PE1.

[~PE1] display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 14       Routes : 14

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

        1.1.1.9/32  Direct 0    0             D  127.0.0.1       LoopBack1
        2.2.2.9/32  OSPF   10   1             D  192.168.3.2     GigabitEthernet0/2/3
        3.3.3.9/32  OSPF   10   1             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.1.0/24  Direct 0    0             D  192.168.1.1     GigabitEthernet0/2/2
    192.168.1.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
  192.168.1.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/2
    192.168.2.0/24  OSPF   10   2             D  192.168.3.2     GigabitEthernet0/2/3
                    OSPF   10   2             D  192.168.1.2     GigabitEthernet0/2/2
    192.168.3.0/24  Direct 0    0             D  192.168.3.1     GigabitEthernet0/2/3
    192.168.3.1/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
  192.168.3.255/32  Direct 0    0             D  127.0.0.1       GigabitEthernet0/2/3
       127.0.0.0/8  Direct 0    0             D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0             D  127.0.0.1       InLoopBack0
127.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0
255.255.255.255/32  Direct 0    0             D  127.0.0.1       InLoopBack0

[*PE1] ping 192.168.2.2

  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/6 ms

Enable basic MPLS functions and MPLS LDP.

# Configure PE1.

[*PE1] mpls lsr-id 1.1.1.9

[*PE1] mpls

[*PE1-mpls] quit

[*PE1] mpls ldp

[*PE1-mpls-ldp] quit

[*PE1] interface gigabitethernet 0/2/2

[*PE1-GigabitEthernet0/2/2] mpls

[*PE1-GigabitEthernet0/2/2] mpls ldp

[*PE1-GigabitEthernet0/2/2] quit

[*PE1] interface gigabitethernet 0/2/3

[*PE1-GigabitEthernet0/2/3] mpls

[*PE1-GigabitEthernet0/2/3] mpls ldp

[*PE1-GigabitEthernet0/2/3] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls lsr-id 2.2.2.9

[*PE2] mpls

[*PE2-mpls] quit

[*PE2] mpls ldp

[*PE2-mpls-ldp] quit

[*PE2] interface gigabitethernet0/2/2

[*PE2-GigabitEthernet0/2/2] mpls

[*PE2-GigabitEthernet0/2/2] mpls ldp

[*PE2-GigabitEthernet0/2/2] quit

[*PE2] interface gigabitethernet0/2/3

[*PE2-GigabitEthernet0/2/3] mpls

[*PE2-GigabitEthernet0/2/3] mpls ldp

[*PE2-GigabitEthernet0/2/3] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls lsr-id 3.3.3.9

[*PE3] mpls

[*PE3-mpls] quit

[*PE3] mpls ldp

[*PE3-mpls-ldp] quit

[*PE3] interface gigabitethernet 0/2/2

[*PE3-GigabitEthernet0/2/2] mpls

[*PE3-GigabitEthernet0/2/2] mpls ldp

[*PE3-GigabitEthernet0/2/2] quit

[*PE3] interface gigabitethernet 0/2/3

[*PE3-GigabitEthernet0/2/3] mpls

[*PE3-GigabitEthernet0/2/3] mpls ldp

[*PE3-GigabitEthernet0/2/3] quit

[*PE3] commit

The following example uses the command output on PE1.

[~PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
--------------------------------------------------------------------------
 PeerID             Status       LAM  SsnRole  SsnAge       KASent/Rcv
--------------------------------------------------------------------------
 2.2.2.9:0          Operational  DU   Passive  0000:00:01   6/6
 3.3.3.9:0          Operational  DU   Passive  0000:00:00   1/1
--------------------------------------------------------------------------
TOTAL: 2 Session(s) Found.

If PEs are not directly connected, run the mpls ldp remote-peer command and remote-ip command to set up a remote LDP session between PEs.

Enable MPLS L2VPN.

# Configure PE1.

[*PE1] mpls l2vpn

[*PE1-l2vpn] quit

[*PE1] commit

# Configure PE2.

[~PE2] mpls l2vpn

[*PE2-l2vpn] quit

[*PE2] commit

# Configure PE3.

[~PE3] mpls l2vpn

[*PE3-l2vpn] quit

[*PE3] commit

Configure a VSI and QinQ stacking sub-interfaces and bind these sub-interfaces to the VSI.

# Configure PE1.

[~PE1] vsi ldp1 static

[*PE1-vsi-ldp1] pwsignal ldp

[*PE1-vsi-ldp1-ldp] vsi-id 2

[*PE1-vsi-ldp1-ldp] peer 2.2.2.9

[*PE1-vsi-ldp1-ldp] peer 3.3.3.9

[*PE1-vsi-ldp1-ldp] quit

[*PE1-vsi-ldp1] quit

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] qinq stacking vid 10

[*PE1-GigabitEthernet0/2/1.1] qinq stacking vid 20

[*PE1-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] commit

# Configure PE2.

[~PE2] vsi ldp1 static

[*PE2-vsi-ldp1] pwsignal ldp

[*PE2-vsi-ldp1-ldp] vsi-id 2

[*PE2-vsi-ldp1-ldp] peer 1.1.1.9

[*PE2-vsi-ldp1-ldp] peer 3.3.3.9

[*PE2-vsi-ldp1-ldp] quit

[*PE2-vsi-ldp1] quit

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] qinq stacking vid 10

[*PE2-GigabitEthernet0/2/1.1] qinq stacking vid 20

[*PE2-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[*PE2-GigabitEthernet0/2/1.1] quit

[*PE2] commit

# Configure PE3.

[~PE3] vsi ldp1 static

[*PE3-vsi-ldp1] pwsignal ldp

[*PE3-vsi-ldp1-ldp] vsi-id 2

[*PE3-vsi-ldp1-ldp] peer 1.1.1.9

[*PE3-vsi-ldp1-ldp] peer 2.2.2.9

[*PE3-vsi-ldp1-ldp] quit

[*PE3-vsi-ldp1] quit

[*PE3] interface gigabitethernet 0/2/1.1

[*PE3-GigabitEthernet0/2/1.1] qinq stacking vid 10

[*PE3-GigabitEthernet0/2/1.1] qinq stacking vid 20

[*PE3-GigabitEthernet0/2/1.1] l2 binding vsi ldp1

[~PE3-GigabitEthernet0/2/1.1] quit

[*PE3] commit

When you configure the QinQ stacking sub-interfaces, specify only the VLAN IDs in the inner VLAN tags. The outer VLAN tag is automatically assigned by the system.

[~PE1] display vsi name ldp1 verbose

 ***VSI Name               : ldp1
    Administrator VSI      : no
    Isolate Spoken         : disable
    VSI Index              : 1
    PW Signaling           : ldp
    Member Discovery Style : static
    Bridge-domain Mode     : disable
    PW MAC Learn Style     : unqualify
    Encapsulation Type     : vlan
    MTU                    : 1500
    Diffserv Mode          : uniform
    Service Class          : --
    Color                  : --
    DomainId               : 255
    Domain Name            :
    Ignore AcState         : disable
    P2P VSI                : disable
    Create Time            : 0 days, 0 hours, 3 minutes, 8 seconds
    VSI State              : up

    VSI ID                 : 2
   *Peer Router ID         : 2.2.2.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 17
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              :0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 1
    NKey                   : 3154116711
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable
   *Peer Router ID         : 3.3.3.9
    primary or secondary   : primary
    ignore-standby-state   : no
    VC Label               : 18
    Peer Type              : dynamic
    Session                : up
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    CKey                   : 2
    NKey                   : 3154116712
    Stp Enable             : 0
    PwIndex                : 0
    Control Word           : disable

    Interface Name         : GigabitEthernet0/2/1.1
    State                  : up
    Access Port            : false
    Last Up Time           : 2012/07/19 03:19:14
    Total Up Time          : 0 days, 0 hours, 3 minutes, 11 seconds

  **PW Information:

   *Peer Ip Address        : 2.2.2.9
    PW State               : up
    Local VC Label         : 17
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001006a5c21
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 1
    Nkey                   : 3154116711
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds
   *Peer Ip Address        : 3.3.3.9
    PW State               : up
    Local VC Label         : 18
    Remote VC Label        : 17
    Remote Control Word    : disable
    PW Type                : label
    Tunnel ID              : 0x0000000001004c4b43
    Broadcast Tunnel ID    : --
    Broad BackupTunnel ID  : --
    Ckey                   : 2
    Nkey                   : 3154116712
    Main PW Token          : 0x0
    Slave PW Token         : 0x0
    Tnl Type               : ldp
    OutInterface           : LDP LSP
    Backup OutInterface    :
    Stp Enable             : 0
    PW Last Up Time        : 2012/07/19 03:21:09
    PW Total Up Time       : 0 days, 0 hours, 0 minutes, 29 seconds

Verify the configuration.

After the configurations are complete, run the display qinq information stacking interface command to view information about QinQ stacking sub-interfaces. The command output shows that the sub-interfaces are bound to the VSI.

The following example uses the command output on PE1.

[*PE1] display qinq information stacking interface gigabitethernet 0/2/1

  GigabitEthernet0/2/1.1
    VSI bound
    Total QinQ Num: 2
      qinq Stacking vid 10
      qinq Stacking vid 20
    Total vlan-group Num: 0

Hosts attached to CE1, CE2, and CE3 can ping each other.

[~CE1] ping 10.1.1.2

  PING 10.1.1.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=43 ms
    Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=98 ms
    Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=181 ms
    Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=129 ms

  --- 10.1.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 33/96/181 ms

[*CE1] ping 10.1.1.3

  PING 10.1.1.3: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=3 ms
    Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=2 ms

  --- 10.1.1.3 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 0/2/223 ms

Configuration Files

PE1 configuration file

#
 sysname PE1
#
 mpls lsr-id 1.1.1.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 3.3.3.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.3.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
 mpls lsr-id 2.2.2.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 3.3.3.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.3.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 192.168.3.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
 mpls lsr-id 3.3.3.9
#
 mpls
#
 mpls l2vpn
#
vsi ldp1 static
 pwsignal ldp
  vsi-id 2
  peer 1.1.1.9
  peer 2.2.2.9
#
mpls ldp
#
interface GigabitEthernet0/2/1
 undo shutdown
#
interface GigabitEthernet0/2/1.1
 qinq stacking vid 10
 qinq stacking vid 20
 l2 binding vsi ldp1
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 192.168.2.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.2.0 0.0.0.3
#
return

Device A configuration file

#
 sysname DeviceA
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device B configuration file

#
 sysname DeviceB
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

Device C configuration file

#
 sysname DeviceC
#
 vlan batch 10 20
#
interface GigabitEthernet0/2/3
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/2/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
#
return

CE4 configuration file

#
 sysname CE4
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.2.1.1 255.255.255.0
#
return

CE5 configuration file

#
 sysname CE5
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
return

CE6 configuration file

#
 sysname CE6
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.2.1.3 255.255.255.0
#
return

Example for Configuring Untagged+DSCP Policy-based L3VPN Access

This section provides an example of networking in which PE1 receives untagged packets carrying different differentiated services code point (DSCP) priorities. You can configure untagged+DSCP policies on the attachment circuit (AC)-side sub-interfaces of PE1 and bind these sub-interfaces to different virtual private network (VPN) instances. This configuration allows PE1 to forward packets to different VPN instances based on their DSCP priorities, differentiating services in VPN instances. In this example, the cell site gateway (CSG) transmits IP services.

Networking Requirements

On a metropolitan area network (MAN), virtual local area network (VLAN) IDs are usually used to differentiate services or users, and traffic is distributed to different virtual switching instances (VSIs), virtual private wire services (VPWSs), or VPN instances. When user or service packets do not carry VLAN tags, VLAN IDs cannot be used to differentiate the users or services, and traffic cannot be distributed based on the VLAN IDs. As a result, some high-priority traffic does not get scheduled properly when passing the carrier network, affecting user experience.

On the network shown in Figure 1-394, packets forwarded by the CSG do not carry VLAN tags, so PE1 cannot differentiate the packets based on VLAN IDs. In this situation, traffic cannot be distributed to different VPN instances for transmission. To address this problem, deploy VLAN policies (untagged+DSCP) on PE1 so that PE1 can distribute packets to different VPN instances based on their DSCP priorities, ensuring that the packets get scheduled properly.

In this example, PE1 parses the DSCP priorities in packets.

The DSCP field is carried in IP packets. To deploy VLAN policies (untagged+DSCP), ensure that the CSG transmits IP services.

Figure 1-394 Networking for untagged+DSCP for L3VPN access

Interfaces 1 through 3 in this example represent GE0/2/1, GE0/2/2, and GE0/2/3, respectively.

Device	Interface	IP Address
CE1	GE0/2/1.1	192.168.1.2/24
CE1	GE0/2/1.2	172.16.1.2/24
CE2	GE0/2/1	192.168.2.2/24
CE3	GE0/2/1	172.17.1.2/24
PE1	GE0/2/1.1	192.168.1.1/24
	GE0/2/1.2	172.16.1.1/24
	GE0/2/2	10.1.1.2/30
	GE0/2/3	10.10.1.2/30
	Loopback1	1.1.1.9/32
PE2	GE0/2/1.1	192.168.2.1/24
	GE0/2/2	10.1.1.1/30
	Loopback1	2.2.2.9/32
PE3	GE0/2/1.1	172.17.1.1/24
	GE0/2/2	10.10.1.1/30
	Loopback1	3.3.3.9/32

Configuration Roadmap

The configuration roadmap is as follows:

Configure basic Layer 3 virtual private network (L3VPN) functions.
1. Enable an Interior Gateway Protocol (IGP) on the backbone network for communication between routers on the backbone network.
2. Configure basic Multiprotocol Label Switching (MPLS) functions and MPLS Label Distribution Protocol (LDP), and set up MPLS label switched paths (LSPs) on the backbone network.
3. Set up LSPs between the provider edges (PEs).
4. Create VPN instances on the PEs.
Configure VLAN policies (untagged+DSCP) and bind AC-side sub-interfaces of the PEs to the VPN instances.
Configure basic Layer 2 forwarding functions on the CSG.
Configure External Border Gateway Protocol (EBGP) on the customer edges (CEs) and PEs to exchange VPN routing information.
Establish Multiprotocol Internal Border Gateway Protocol (MP-IBGP) peer relationships between the PEs.

Data Preparation

To complete the configuration, you need the following data:

IP address of each interface
Names of the VPN instances on the PEs
Route distinguishers (RDs) and VPN targets of the VPN instances
Numbers of the interfaces that are bound to the VPN instances

Procedure

Configure basic L3VPN functions.

Configure an IP address for each interface of the CEs and PEs according to Figure 1-394. For details, see configuration files in this example.

Configure an IGP on the MPLS backbone network. Open Shortest Path First (OSPF) is used in this example.

For details, see configuration files in this example.

After OSPF is configured, PE1 has an OSPF route to Loopback1 of PE2 and another OSPF route to Loopback1 of PE3. PE2 and PE3 each have an OSPF route to Loopback1 of PE1. In addition, the PEs can ping each other.

<PE1> display ip routing-table

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table: Public
         Destinations : 9        Routes : 9

Destination/Mask    Proto  Pre  Cost        Flags NextHop         Interface

      1.1.1.9/32    Direct 0    0             D   127.0.0.1       LoopBack1
      2.2.2.9/32    OSPF   10   1             D   10.1.1.1        GigabitEthernet0/2/2
      3.3.3.9/32    OSPF   10   1             D   10.10.1.1       GigabitEthernet0/2/3
     10.1.1.0/30    Direct 0    0             D   10.1.1.2        GigabitEthernet0/2/2
     10.1.1.2/32    Direct 0    0             D   127.0.0.1       GigabitEthernet0/2/2
    10.10.1.0/30    Direct 0    0             D   10.10.1.2       GigabitEthernet0/2/3
    10.10.1.2/32    Direct 0    0             D   127.0.0.1       GigabitEthernet0/2/3
     127.0.0.0/8    Direct 0    0             D   127.0.0.1       InLoopBack0
    127.0.0.1/32    Direct 0    0             D   127.0.0.1       InLoopBack0

<PE1> ping 2.2.2.9

PING 2.2.2.9: 56  data bytes, press CTRL_C to break
    Reply from 2.2.2.9: bytes=56 Sequence=1 ttl=255 time=120 ms
    Reply from 2.2.2.9: bytes=56 Sequence=2 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=3 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=4 ttl=255 time=90 ms
    Reply from 2.2.2.9: bytes=56 Sequence=5 ttl=255 time=90 ms

  --- 2.2.2.9 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 90/96/120 ms

Enable basic MPLS functions and LDP on the MPLS backbone network.

For details, see configuration files in this example.

After MPLS LSPs are set up, LDP sessions are set up between PE1 and PE2 and between PE1 and PE3. The display mpls ldp session command output shows that the Status field is Operational.

<PE1> display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 An asterisk (*) before a session means the session is being deleted.
 ------------------------------------------------------------------------------
 PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:00:00  3/3
 3.3.3.9:0          Operational DU   Passive  0000:00:00  2/2
 ------------------------------------------------------------------------------
 TOTAL: 2 session(s) Found.

Configure VPN instances.

# Configure PE1.

<PE1> system-view

[*PE1] ip vpn-instance vpn1

[*PE1-vpn-instance-vpn1] route-distinguisher 100:1

[*PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE1-vpn-instance-vpn1-af-ipv4] quit

[*PE1] ip vpn-instance vpn2

[*PE1-vpn-instance-vpn2] route-distinguisher 100:2

[*PE1-vpn-instance-vpn2-af-ipv4] vpn-target 100:2 both

[*PE1-vpn-instance-vpn2-af-ipv4] commit

[~PE1-vpn-instance-vpn2-af-ipv4] quit

# Configure PE2.

<PE2> system-view

[*PE2] ip vpn-instance vpn1

[*PE2-vpn-instance-vpn1] route-distinguisher 100:1

[*PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both

[*PE2-vpn-instance-vpn1-af-ipv4] commit

[~PE2-vpn-instance-vpn1-af-ipv4] quit

# Configure PE3.

<PE3> system-view

[*PE3] ip vpn-instance vpn2

[*PE3-vpn-instance-vpn2] route-distinguisher 100:2

[*PE3-vpn-instance-vpn2-af-ipv4] vpn-target 100:2 both

[*PE3-vpn-instance-vpn2-af-ipv4] commit

[~PE3-vpn-instance-vpn2-af-ipv4] quit

Configure VLAN policies (untagged+DSCP) and bind AC-side sub-interfaces of the PEs to the VPN instances.

# Configure PE1.

<PE1> system-view

[*PE1] interface gigabitethernet 0/2/1.1

[*PE1-GigabitEthernet0/2/1.1] untagged dscp 3

[*PE1-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE1-GigabitEthernet0/2/1.1] ip address 192.168.1.1 24

[*PE1-GigabitEthernet0/2/1.1] quit

[*PE1] interface gigabitethernet 0/2/1.2

[*PE1-GigabitEthernet0/2/1.2] untagged dscp 2

[*PE1-GigabitEthernet0/2/1.2] ip binding vpn-instance vpn2

[*PE1-GigabitEthernet0/2/1.2] ip address 172.16.1.1 24

[*PE1-GigabitEthernet0/2/1.2] commit

[~PE1-GigabitEthernet0/2/1.2] quit

# Configure PE2.

<PE2> system-view

[*PE2] interface gigabitethernet 0/2/1.1

[*PE2-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1

[*PE2-GigabitEthernet0/2/1.1] ip address 192.168.2.1 24

[*PE2-GigabitEthernet0/2/1.1] commit

[~PE2-GigabitEthernet0/2/1.1] quit

# Configure PE3.

<PE3> system-view

[*PE3] interface gigabitethernet 0/2/1.1

[*PE3-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn2

[*PE3-GigabitEthernet0/2/1.1] ip address 172.17.1.1 24

[*PE3-GigabitEthernet0/2/1.1] commit

[~PE3-GigabitEthernet0/2/1.1] quit

After the configurations are complete, run the display ip vpn-instance verbose command on the PEs to view the configurations of VPN instances.

The following example uses the command output on PE1.

[*PE1] display ip vpn-instance verbose

 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0

  VPN-Instance Name and ID : vpn1, 1
  Address family ipv4
  Create date : 2009/09/01 17:22:49
  Up time : 0 days, 00 hours, 11 minutes and 46 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets :  100:1
  Import VPN Targets :  100:1
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe
  Log Interval : 5
  Interfaces : GigabitEthernet0/2/1.1

  VPN-Instance Name and ID : vpn2, 2
  Address family ipv4
  Create date : 2009/09/01 17:27:07
  Up time : 0 days, 00 hours, 07 minutes and 28 seconds
  Route Distinguisher : 100:2
  Export VPN Targets :  200:2
  Import VPN Targets :  200:2
  Label Policy : label per route
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe
  Log Interval : 5
  Interfaces : GigabitEthernet0/2/1.2

Configure basic functions on the CSG.
The configuration details are not provided here. The CSG must meet the following conditions:
- Support for DSCP priority configuration using commands
Establish EBGP peer relationships between the PEs and CEs and import VPN routes.
For details, see the chapter "BGP/MPLS IP VPN Configuration" in the NetEngine A800 series Configuration Guide - VPN or configuration files in this example.
Establish MP-IBGP peer relationships between the PEs.
For details, see the chapter "BGP/MPLS IP VPN Configuration" in the NetEngine A800 series Configuration Guide - VPN or configuration files in this example.

Verify the configuration.

After the configurations are complete, run the display bgp peer command on the PEs. The command outputs show that BGP peer relationships are established between the PEs and in the Established state.

The command output on PE1 is used as an example.

[*PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 2                 Peers in established state : 2

  Peer        V      AS  MsgRcvd  MsgSent  OutQ  Up/Down    State       PrefRcv

  2.2.2.9     4      100    10     15       0    00:04:53   Established   0
  3.3.3.9     4      100    6      11       0    00:01:06   Established   2

Run the display ip routing-table vpn-instance command on the PEs to view the routes to peer CEs.

The following example uses the command output on PE1.

[*PE1] display ip routing-table vpn-instance vpn1

Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table: vpn1
         Destinations : 3        Routes : 3

Destination/Mask   Proto  Pre  Cost      Flags NextHop       Interface

  192.168.1.0/24   Direct 0    0         D     192.168.1.1   GigabitEthernet0/2/1.1
  192.168.1.1/32   Direct 0    0         D     127.0.0.1     GigabitEthernet0/2/1.1
  192.168.2.0/24   BGP    255  0         RD    2.2.2.9       GigabitEthernet0/2/2

[*PE1] display ip routing-table vpn-instance vpn2

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table: vpn1
         Destinations : 3        Routes : 3

Destination/Mask   Proto  Pre  Cost      Flags NextHop       Interface

   172.16.1.0/24   Direct 0    0         D     172.16.1.1    GigabitEthernet0/2/1.2
   172.16.1.1/32   Direct 0    0         D     127.0.0.1     InLoopBack0
   172.17.1.0/24   BGP    255  0         RD    3.3.3.9       GigabitEthernet0/2/3

Run the display interface vlan command to view the VLAN policy configured on a specified interface.

The following example uses the command output on PE1.

[*PE1] display interface gigabitethernet0/2/1 vlan untagged

Interface           VlanPolicy
-----------------------------------------------------------
GE0/2/1.2           dscp 2
GE0/2/1.1           dscp 3
-----------------------------------------------------------
Interface:GE0/2/1 VLAN ID: UNTAGGED Sub-Interface num: 2

Configuration Files

PE1 configuration file

#
 sysname PE1
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
ip vpn-instance vpn2
 route-distinguisher 100:2
 apply-label per-instance
 vpn-target 100:2 export-extcommunity
 vpn-target 100:2 import-extcommunity
#
 mpls lsr-id 1.1.1.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/2/1.1
 untagged dscp 3
 ip binding vpn-instance vpn1
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/2/1.2
 untagged dscp 2
 ip binding vpn-instance vpn2
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 10.1.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface GigabitEthernet0/2/3
 undo shutdown
 ip address 10.10.1.2 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 2.2.2.9 as-number 100
 peer 2.2.2.9 connect-interface LoopBack1
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
  peer 2.2.2.9 enable
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 2.2.2.9 enable
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 192.168.1.2 as-number 65410
 #
 ipv4-family vpn-instance vpn2
  import-route direct
  peer 172.16.1.2 as-number 65410
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 10.1.1.0 0.0.0.3
  network 10.10.1.0 0.0.0.3
#
return

PE2 configuration file

#
 sysname PE2
#
ip vpn-instance vpn1
 route-distinguisher 100:1
 apply-label per-instance
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
 mpls lsr-id 2.2.2.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn1
 ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
 undo synchronization
 peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 192.168.2.2 as-number 65420
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 10.1.1.0 0.0.0.3
#
return

PE3 configuration file

#
 sysname PE3
#
ip vpn-instance vpn2
 route-distinguisher 100:2
 apply-label per-instance
 vpn-target 100:2 export-extcommunity
 vpn-target 100:2 import-extcommunity
#
 mpls lsr-id 3.3.3.9
 mpls
#
 mpls l2vpn
#
mpls ldp
#
interface GigabitEthernet0/2/1.1
 ip binding vpn-instance vpn2
 ip address 172.17.1.1 255.255.255.0
#
interface GigabitEthernet0/2/2
 undo shutdown
 ip address 10.10.1.1 255.255.255.252
 mpls
 mpls ldp
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpn1
  import-route direct
  peer 172.17.1.2 as-number 65421
#
ospf 1
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 10.10.1.0 0.0.0.3
#
return

CE1 configuration file

#
 sysname CE1
#
interface GigabitEthernet0/2/1.1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
bgp 65410
 peer 192.168.1.1 as-number 100
#
interface GigabitEthernet0/2/2.1
 undo shutdown
 ip address 172.16.1.2 255.255.255.0
bgp 65410
 peer 172.16.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.1.1 enable
  peer 172.16.1.1 enable
#
return

CE2 configuration file

#
 sysname CE2
#
interface GigabitEthernet0/2/1.1
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
bgp 65420
 peer 192.168.2.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.2.1 enable
#
return

CE3 configuration file

#
 sysname CE3
#
interface GigabitEthernet0/2/1.1
 undo shutdown
 ip address 172.17.1.2 255.255.255.0
bgp 65421
 peer 172.17.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 172.17.1.1 enable
#
return

Overview of QinQ
Feature Requirements for QinQ
Summary of QinQ Configuration Tasks
Configuring the QinQ Function
Configuring QinQ-based VLAN Tag Swapping
Configuring QinQ Mapping
- Configuring 1 to 1 QinQ Mapping
- Verifying the QinQ Mapping Configuration
Configuring IP Services on a VLAN Tag Termination Sub-Interface
Configuring a VLAN Tag Termination Sub-interface to Transmit the VPN Service
Configuring Multicast Services on a VLAN Tag Termination Sub-interface
Configuring an L2VPN Service on a QinQ Stacking Sub-interface
Maintaining QinQ
- Clearing QinQ Statistics
- Monitoring the QinQ Operating Status
Configuration Examples for QinQ

Translation

Favorite

Download

Update Date：2023-10-31

Document ID：EDOC1100335687

Downloads：55

Average rating：0.0Points

Digital Signature File

digtal sigature tool