Te ot BEE Advanced VLAN Technologies onyght ©2020 Haw Teshnoagies Co, Ld Al rahe reseedForeword + VLAN technologies are widely used on campus networks. Typically, VLANs are used to isolate broadcast domains. Each VLAN belongs to a broadcast domain. During network planning, a gateway needs to be allocated to each broadcast domain. If there are too many VLANs, itis difficult to plan IP addresses and a large number of |P addresses may be wasted. + In addition, in large enterprises, internal employees as well as many partners work in the enterprise ‘campus. Partners cannot directly access each other. Each partner needs to be assigned a VLAN for isolation, which makes network management and maintenance difficult. Are there any better technologies to solve these problems? + This course describes several advanced VLAN technologies, including VLAN aggregation, MUX VLAN, and Qing, page conth © 22 an Tess Cok Alas rene Se nvawerObjectives + Upon completion of this course, you will be able to: ® Describe the working mechanism of VLAN aggregation. ® Describe application scenarios of MUX VLAN. ® Describe QinQ implementation. ® Perform configurations of VLAN aggregation, MUX VLAN, and QinQ. Page? Copyright © 2020 Huai! Teshnoages Co, LA rahe reseed Se nvawer) Contents 1. VLAN Aggregation 2, MUX VLAN 3. QinQ Page Copyright © 2020 Huai! Teshnoages Co, Ld Arai reseed Se Hvaweladdress all cannot be used as IP addresses of hosts in to communicate, This wastes IP addresses Gateway. YIANIF 10: 192.168.1.62/26, VLANIF 20: 192.168.1.126/26, LAN 30: 192.168.1.190/26, VIAN 10 9216819726 Page 4 Copyright © 2020 Musee! Techroages 192.168.154)26, | Ga VIAN 20 VIAN 20 192.168.1.128/26 ll oats eserves & ) Background of VLAN Aggregation Usually, a Layer 3 switch uses a Layer 3 logical interface in each VLAN ta allow hosts in different broadcast domains + Ona subnet corresponding to 2 VLAN, the subnet ID, directed broadcast address, and subnet default gateway the VLAN. In addition, IP addresses available ina subnet may exceed the number of hosts. These excess IP addresses cannot be used by other VLANs. Cando tne ante o¢ _) 2 Se nvawer= Overview of VLAN Aggregation to casper ah prs reas amano mate AN (bo 3 sl ete and pe he supervean, Se nvawer Page S_ Copyright © 2020 Husa! Teshnoage Co, LA rahe reseed‘Sub-VLAN 10 Sub-VLAN 20. Sub-VLAN 30 1921681.0- 19216R1e4- 192.168.1128 192.1681 127/24 192.1681391/24 192.168.165/28 teway address of all hosts is 68.1,254/24. opyght ©2020 HuaweTechnoogies Co, Ld Al ahs reseed Principle of VLAN Aggregation VLAN aggregation maps each sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and then assigns just one IP subnet to the super-VLAN, This ensures that all sub-VLANs use the IP address of the associated super-VLAN as the gateway IP address to implement Layer 3 connectivity Se nvawer Sub-VLANs share one gateway address to reduce the number of subnet addresses, subnet default gateway addresses, and directed broadcast IP addresses. The switch assigns IP addresses to hosts in sub-VLANs according to the number of hosts. This ensures that each sub-VLAN acts as an independent broadcast domain, conserves IP addresses, and implements flexible addressing.Application of VLAN Aggregation For traditional VLAN technology, each VLAN needs to be assigned a different P address segment. In this example, four Padres Segrnents and four routes are required. n super-VLAN mode, only one P adéres segment needs tobe allocate. Layer 2 VLANS ofthe super-VLAN share the same IP adress segment and Layer 3 gateway n alton, Layer 2 isolation is implementec between VLANS. ronan aed ree es vans tosoane Page” Copyright © 2020 Huai! Teshnoages Co, Ls Araneae Se HvawelCommunication in a Sub-VLAN ‘A sub-VLAN belongs to a broadcast domain, so devices in the same sub-VLAN can directly communicate with each other at Layer 2. Layer? Lay? 4 3 — ‘Sub-VLAN 10 SUB-VLAN 20 192168.1.0/24 9216810724 page 8 Conth © 22 an Tess Co Al gh rene Se nvawerCommunication Between Sub-VLANs ‘After prony ARP is enabled on VLANIF 100 of the super-VLAN, communication between PC1 and PC2 is as follows: ‘When PC finds that PC2 Ison the same network segment a itself and its [ARP table doesnot contain the entry corresponding to PC2, PCI broadcasts an ARP Request packet to request the MAC address of PC2 2. VLANIF 100 corresponding to super-VLAN 100 receives the ARP Request packet from PCI. Because proxy ARP between sub-VLANS is enabled on the gateway, te gateway broadcasts an ARP Request packet to al sub-VLANS oe of Super-VLAN 100 to request the MAC address of PC2 3 After receiving the ARP Request packet, PC2 returns an ARP Reply packet 4. After receiving the ARP Reply packet rom PC2 the gateway sends is MAC Subvian 10 SubMLAN 20 aderes to PC. Then PC1 sends the packets destine for PC2 tothe eee eae 2912s gateway, and the gateway forwards the packets at Layer 3. page conth © 22 ay esos Co Alas resend Se nvawer + When hosts in different sub-VLANs communicate with each other, the hosts send ARP Request packets because IP addresses of the sub-VLANs belong to the same network segment. Actually, different sub-VLANs belong to different broadcast domains. As a result, ARP packets cannot be transmitted to other sub-VLANs, there is no response to ARP Request packets, and the device cannot learn the MAC address of the peer end. As a result, sub-VLANs cannot communicate with each other. + To implement communication between sub-VLANs, enable proxy ARP on the VLANIF interface of the super-VLAN.Zz Layer 2 Communication Between Hosts in Sub-VLANs and Other Devices {GE0/0/0 (Trunk) + Layer 2 communication between hosts in sub- ‘low-pass van 1020 30 VLANs and other devices is the same as Layer 2 SW2 communication within a common VLAN. + A super-VLAN does not belong to any physical interface. That is, a super-VLAN does not process any packet that carries a super-VLAN tag. aoa a Sz SubVLAN 10 SuD-VIAN 20. Sub-VLAN 20 39216R1.1/24 192168.164/24, 192.168..728/24 Page 10 copyright 2020 Huawei Technologies Ca, Ltd All rahts reseed, Se Hvawel + An example of Layer 2 communication of a sub-VLAN is as follows: 2 Packets sent from Host_1 to Switch_1 are tagged with VLAN 10. Although sub- VLAN 10 belongs to super-VLAN 100, SW1 does not change VLAN 10 to VLAN 100 in packets. Packets sent from GEO/0/0 on SW1 are still tagged with VLAN 10. SW1 does not send packets from VLAN 100. When another device sends packets from VLAN 100 to SW1, SW1 discards the packets because there is no physical interface corresponding to super-VLAN 100 on SW1. © For other devices, only sub-VLANs 10, 20, and 30 are valid and all packets are exchanged in the VLANs. The communication between SW1 configured with VLAN aggregation and other devices is similar to normal Layer 2 communication without the super-VLAN. + When a PC in a sub-VLAN needs to communicate with other networks at Layer 3, the PC sends data to the default gateway, that is, the VLANIF interface corresponding to. the super-VLAN, and then routes the data.VLAN Aggregation Configuration Commands 1. Create a super-VLAN. [Huawei-vlan100) aggregate-vian ‘A super-VLAN cannot contain any physical interface, and VLAN 1 cannot be configured as a super-VLAN, The VLAN ID of a super-VLAN must be different from the VLAN ID of a sub- VLAN. 2. Add sub-VLANS to the supet-VLAN. [Huawei-viant00} access-vlan { vlan-id [ to vlan-id2] } Before adding any sub-VLANS to a super-VLAN, ensure that they are not configured with VLANIF interfaces. 3. (Optional) Enable proxy ARP on the VLANIF interface corresponding to a super-VLAN. [Huawei-vlanif100] arp-proxy inter-sub-vian-proxy enable Enable proxy ARP between sub-VLANS. Page 11 Copyright © 2020 Huawet Technologies Ca, Ltd. All nahts reserve. Me HuAWe!terispea05/24 ceoioy 0/0" sws ceo/or| O O VLAN aggregation is configured on SW/1, as shown in the figure. Page 12 Copyright © 2020 Huai! Teshnoages Co, Ls Alrahte reseed Example for Configuring VLAN Aggregation (1) SW1 configuration: [SW van bate 102 Lb [sw ertace gpstetemet [SW-cgnbtetere1 port eye rank [SA1-cgaitetereo( port trunk alow-pas an Yo [sw nerace Ganonememe9}o72 [sWr-cgabetnemeo}(2 port inky trunk [sAr-cigabtetneeo}2 port rn aom-pas van 20 1 crates siperv.an, [sw terace vari 00| [swtearo0 ip aes 1921681256 28 [swear rp itera lan pony endl Se Hvawelterispea05/24 stoi «oy sw copa Cl C VLAN aggregation is configured on SW/1, as shown in the figure. Page 12 Copyright © 2020 Huai! Teshnoage Co, Ls Alrahte reseed Example for Configuring VLAN Aggregation (2) ‘SW1 configuration: [sw vn 200 [sw terace gnbtetemet}3 [sW-cgabtetereo}(3) port nye acess [sW-cnaittheret8] pot deft van 200 'SW2 configuration: (502 van 10 (sw inerace Ggadtemeneo}j2 [sw2-cgabittineme0}92 port nye acess [sw2-cignittnere0}2 pot deta van 10 (502 eta [sW2.cgebittere0}/) port key tank [SW2.cgaiEtere0}1 pot trunk tom: pas van 10 Se nvawer) Contents 1. VLAN Aggregation 2. MUX VLAN 3. QinQ Page 1 Copyright © 2020 Huai! Teshnoage Co, LA rahe reseed Se nvawerBackground of MUX VLAN Con an enterprise network, networks of different departments need to be independent ofeach other. VLAN technology can be used to meet this equirement 3 large-scale enterprise has 2 large number of partners the parners must be able ta access the servers ofthe lemterrise but cannot access each other. In this case, the traditional VLAN technology requires a large number of VLAN IDs and increases the workload of network administrators and maintenance workload “The Multiple VALAN (MUX VLAN) function used to control network resources based on VLANS, Pc pc2_| PC3_ PC Pce Department A_| Department 8 || Guest area page 8 Connth © 2 ay Tess Co Alas rene Se nvawerBasic Concepts of MUX VLAN MUX VLANS are classified into principal VLANs and subordinate VLANs, Subordinate VLANs are classified into separate VLANs and group VLANs. Principal VLAN MUX VLAN Stara pacpaliwrare age Separate VLAN Separate port ld tom ser pent maces Subordinate VAN Thesame goup WAN, bt cant Group VLAN Group port | Smsseh tetas mabe gmp Page 16 Copyright © 2020 Huawet Technologies Ca, Ltd. All nah reserve. Me HuAWe! + Either the separate VLAN or group VLAN must be bound to a principle VLAN. + Interfaces in a principal VLAN can communicate with other interfaces in the same MUX VLAN.CH CH)CH CCH Ca met pea | pcs Pc || esc opyght ©2020 HuaweTechnoogies Co, Ld Al ahs reseed ED Application of MUX VLAN (On a switch, VIANs of departments A and @ are configured as subordinate group VLANS, the VLAN of the guest area is configured a subordinate separate VIAN, and the VLAN of the Interface connacted to the server is configured as the Principal VIAN. In addition, all the subordinate VLANS are bound te the principal VLAN. In this way, the folowing network design requirements are met any in the quest area can access only the server and canot acess Se HvawelMUX VLAN Configuration Commands 1. Configure a principal VLAN for MUX VLAN. {Huawel-lan00] mux-vian The VLAN is configured as a MUX VLAN, that i, principal VLAN, The VLAN ID assigned to a principal VLAN Cannot be used as the super-VLAN or sub-VLAN. 2. Configure a group VAN. {Huawel-vian’00] subordinate group { vian-idf (to vian-id2) } ‘A maximum of 128 group VLANs can be configured for a principal VLAN 3. Configure a separate VLAN {Huawel-lan100] subordinate separate vlan-id Only one separate VLAN can be configured fora principal VLAN. The IDs ofthe group VLAN and separate VLAN in a MUX VLAN must be citferent. 4. Enable the MUX VLAN function on an Interface. {Huawel-Gigabitéthemet0/0/1] port mux-vlan enable vian-id Interfaces of negotiaton-auto and negotiation-desirable types do not support the port mux-vlan enable Page 18 Conyigh 2020 Huse Techno Co, Li. Alles zee Me nvawer + The MUX VLAN function must be enabled to implement the following functions: The principal VLAN and subordinate VLAN can communicate with each other. interfaces in a group VLAN can communicate with each other. Interfaces in a separate VLAN cannot communicate with each other.VIAN 100 Ch C3 CH CF CF CH Department A Department Best area VIAN 10. MAN 20. YAN 0 opyght ©2020 HuaweTechnoogies Co, Ld Al ahs reseed MUX VLAN Configuration Example SW1 configuration: [swt vin bate 1029 30 100 [sa van 100 [sw ner ene) [swr-cgnbitetnere9} port inky acess [sw-cignite nero port taut van 10 ne eon, and arene rode Se Hvawel& ) Verifying the MUX VLAN Configuration Check the VLAN configuration and run the ping command to check the network connectivity between PCS (192.168.15/24) and PC6 (192.168.1.6/24). [sw!}eisplay vlan ‘The total number of vans is:5 U:Up;D:Down, TG: Tagged; UT: Untaggee: MP. Vian-mapaing ST. Vlan-stackng +# ProtocotTransparentvian;* Management-van, Vid Type Ports 0. mux-sub UTSGEO/0/1(U) GE0/0/2(U) 20 mux-sub UTGEO/O/3(¥) —GE0/0/4(U) 30_mux-sub UT-GEO/O/S(U) GE0/0/6(U) 0 ix UTGEO/O/24(U) Page 20. Cepyight © 2020 Huawe! Technologies Co, Lt A ahs reseed PCSpping 192.6816 ing 182,168.16: 32 data bytes, Press CW to break From 192.168.15: Destination host unreachable From 192.1685: Destination host unreachable From 192.168. 5: Destination host unreachable From 192.168.5: Destination host unreachable From 192.168.15: Destination host unreachable ~-192.168.15 ping statistics — ' packets) transmitted © packets) received 100.00% packet loss Se nvawer) Contents 1. VLAN Aggregation 2. MUX VLAN 3. Qing Page 21 Copyright © 2020 Huai! Teshnoages Co, Ls Arai reseed Se nvawer6 ) Overview of QinQ + As Ethernet technologies have been deployed on many networls, using only the VLAN tag defined in IEEE 802.1 cannot effectively identify and isolate a large numberof users. A 12-bit VLAN tag defined in IEEE 802.1Q identifies a maximum of only 4096 VLANs, which is insufficient for a great number of users on the metro Ethernet. 802.1Q-in- 202.10 (Qin) was developed to expand VLAN space beyond 4096 VLANS Qing expands VLAN space by adding an additonal 802.10 tag to 802.10 tagged packets. ‘As shown in the figure, user packets carty double tags an the public network. The Inner tag Isa private netwark tag, and the outer tag Is a public network tag. Public network Enterprise HQ Enterprise branch User packet Private network tag lll Public network tag Page 22 Copyright © 2020 Huai! Teshnoage Co, LA rahe reseed Se nvawerFormat of QinQ Packets In QinQ encapsulation, two VLAN tags are added to the end of the source MAC address field of an untagged Ethernet data frame, Untagged frame DA sa |rvpejtencT| pata | cs Qing DA sa EE) we | pata | rcs encapsulation ec ox6100 pai |r) VLAN ID Ci2bits) meh Pee ro | tr Page 22 Copyright © 2020 usw! Teshnoage Co, LA rahe reseed Me nvawer + Tag Protocol Identifier (TPID): indicates the frame type. The value 0x8100 indicates an 802.1Q-tagged frame. A device that does not support 802.1Q discards 802.1Q frames. For the inner 802.1Q tag, the value is set to 0x8100. For the outer 802.1Q tag, different vendors may use different values. 0x8100: is used by Huawei routers. 0x88A8: 802.1ad specifies that the TPID in the outer 802.1Q tag is 0x88a8. + Ona Huawei device, the default value of the outer 802.1Q tag is 0x8100, which can be changed using a command.ED QinQ Implementation Devices forward packets over the public network based on outer VLAN tags of packets, and learn MAC addresses from the outer VLAN tags. The private VLAN tags in the packets are forwarded as payload of the packets. Even ifthe private network VLAN tags are the same, the public network VLAN tags can be used to differentiate users. [1-10 J =a a WLANs 1-20 IANS 10 TI Packets of enterprise 8 + The private VLANs of enterprise A and enterprise B are VLANs 1 to 10 and VLANs 1 to 20, respectively. The public network allocates public VLANs 3 and 4 to enterprise A and enterprise B respectively. When tagged packets from enterprises A and B arrive at the public network, they are tagged with additional VLAN tags, that is, VLAN 3 for enterprise A's packets and VLAN 4 for enterprise B's packets. In this way, packets from enterprise networks are separately transmitted on the public network, even though the two networks have overlapping VLAN IDs. After packets traverse the public network, public VLAN tags of the packets at the receiving PE are removed. Then the packets are forwarded to the CE of their respective user network.Implementation of QinQ — Basic QinQ Packet processing of basic QinQ: 1. SW receives a packet tagged with VIAN 10 or 20 and sends the packet to sw2 2. When receiving the packet, SW2 adds an outer tag with VLAN 100 tothe packet 3. The packet with double tagsis forwarded according tothe Layer? forwarting process. 4 ter receiving the packet from VLAN 100, SW3 removes the cuter tag with VLAN 100, SW3 then sends the packet that cartes only one tag with VIAN 10 or 20 to Wa 5. After receiving the packet, SW forwards according to its VLAN ID and destination MAC adress. page 25 _conth © 22 an esos Lk. Alas rene Se nvawer + Basic QinQ is implemented based on interfaces. When a packet arrives at an interface that has basic QinQ enabled, the device will tag it with the interface's default VLAN tag, regardless of whether the packet is already tagged or untagged. After being processed by basic QinQ on an interface, single-tagged packets change into double- tagged packets, and untagged packets change into single-tagged packets with the default VLAN tag of the interface. + Interface-based QinQ inflexibly encapsulates the outer VLAN tag. The device on which interface-based QinQ is enabled cannot change the encapsulation method used for the outer VLAN tag based on service types.Implementation of QinQ — Selective QinQ Packet processing of selective QinQ 1. When receiving the packet tagged with VLAN 10 or VLAN 20, WT Forwards the packet to SW2 2. When receiving the packet tagged with VLAN 10, SW2 adds an ‘outer tag With VLAN 100 tothe packet When receiving the packet tagges with VLAN 20, SW2 adds an outer tag with ‘VIAN 200 to the packet. 3. The packet with double tags is forwarded according tothe Layer? forwarding proces. 4, Alter receiving the packet, SW3 removes the outer tag with ‘VLAN 100 of 200, 3 then sends the packet that cartes only jane tag with VLAN 10 ar 20 to SW, Alter receiving the packet, SW forwards it according to its ‘VIAN ID and destination MAC adress. page 26 Conth © 22 an Tego ik. Algae Se nvawer + Selective QinQ allows the device to select whether to tag packets, or determine the type of outer VLAN tags to be encapsulated, according to the traffic classification result, Selective QinQ can classify traffic based on the VLAN tag, priority, MAC address, IP protocol, source IP address, destination IP address, or port number of an application program. + VLAN ID-based selective QinQ: adds outer VLAN tags based on inner VLAN IDs. + 802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities in inner VLAN tags. + Traffic policy-based selective Qin: adds different outer VLAN tags based on QoS policies so that differentiated services can be provided based on service types. + Selective QinQ is an extension of basic QinQ and is more flexible. The difference is as follows: = Basic QinQ: adds the same outer VLAN tag to all packets arriving at a Layer 2 interface. © Selective QinQ: adds different outer VLAN tags to packets arriving at a Layer 2 interface based on inner VLAN tagsQinQ Application on Campus Networks Scenario Requirements ee Y a - Solution = 3. Gini depen te cena octane oe 27 cepa ato Hua Techs co, Alla seve Se nvawer + Broadband Remote Access Server (BRAS): The BRAS aggregates and forwards service flows, meeting different user requirements for the transmission rate and broadband utilization. Therefore, it is the core device for broadband user access. + Broadcast, unknown unicast, and multicast (BUM): The switch floods BUM packets.QinQ Configuration Commands 1. Configure the interface as a dottg tunnel interface. [Huawei-Gigabitethemet0/0/1) port link-type dotfq-tunnet rank inter The interface ean be a physical interface or an Eth 2. Enable VLAN translation on an interface. [Huawei-Gigabitéthemet0/0/1] ging vian-translation enable 3. Configure selective Qing [Huawei-igabitethernet0/0/1] port vlan-stacking vlan vlan-id! [ to vlan-id2] stack-vlan vian-id3 [ remark- 2021p 8027p-value | Configure different outer VLAN tags for different inner VLAN tags. By default, the priority of the outer VLAN tag isthe same as that of the inner VLAN tag, Page 28 Copyright © 2020 Huawet Technologies Ca, Ltd. All nah reserve. Me HuAWe! + Selective QinQ must be configured on the hybrid interface and the qing vlan- translation enable command must have been executed to enable VLAN translation. Selective QinQ can only take effect on the interface in the inbound direction. + When an interface configured with VLAN stacking needs to remove the outer tag from ‘outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode& ) Example for Configuring Basic QinQ 00 and VAN 20 ae led for ene an rep 2 ee Page 29 Copyright © 2020 Huai! Teshnoages Co, LA rahe reseed ‘SW1 configuration: Sw] van batch 100 200 [SW] interface Gigabitethernet 0/0/1 # Configure VIAN 100 asthe default VLAN on GEO/0/. ism igabitethereto/0/1} port link-type doti-tunne! SW1 -Gigabitethereto/a/1] port default van 100 SW] Interface Gigabitéthemet 0/0/2 # Configure VLAN 200 as the default VLAN on GEO/0/2, [SW/-Gigabitethereto/0/2} pot lnk-lype dotta-tunne SW -Gigabitethernet0/0/2} port default vian 200 SW] interface GigabitEthemet 0/03 SW -Gigabitthernet0/0/3) port ink-type unk ‘SW -Gigabitthernet0/0/3) port trunk alow pass van 100 200 1 Set the TPID value in the olter VIAN tag [SW1-Cigabitethernetoj0/3} ging protocol 9100 “Te cantguation ot Sasa otha of SW, and not rode Se HvawelPage 20 Copyght © 2020 Huai! Teshnoages Co, Ld Al rahe reseed ED Example for Configuring Selective QinQ SW1 configuration: SW] Man bath 23 SW] rfc GgabiEhere 01 or: nkeype yoni or yg utagned van23 pore van-staching an 100 sacevan 2 Gigabit 00/2 her} pre type ark het} pt rank alow pas van 23 ‘SW -cigebecthere0/92} gut Se nvawer3 Quiz (Single) When a sub-VLAN communicates with an external network at Layer 2, what is the VLAN tagged to packets on the outbound interface? A. Sub-VLAN B. Secondary VIAN . Super-VLAN D. Isolate VLAN (Single) Which of the following statements about QinQ is false? 'A. Qing packets are forwarded based on outer VLAN tags on the public network. B. Qin packets are forwarded based on inner VLAN tags onthe public network . Qin@ provides a simpler Layer 2 VPN tunneling technology. . Qing can be realized through static configuration, without a signaling protocol cen on ne cope Aas ee Se nvaweriz Summary + To implement VLAN aggregation, you need to configure a super-VLAN and sub-VLANs. To enable communication between different sub-VLANs, you need to enable proxy ARP in the super-VLAN. VLAN aggregation prevents complex network address planning caused by subnet assignment and isolates broadcast domains through VLANs. + The MUX VLAN includes a principal VLAN and subordinate VLANs. Subordinate VLANs are classified into separate and group VLANs. A separate interface can communicate only with a principal interface and is isolated from other types of interfaces. A group interface can communicate with a principal interface and the other interfaces in the same group VLAN, but cannot communicate with i other group VLANs or a separate interface. faces in + Qing technology expands the number of VLANs, and allows user packets tagged with private VLAN IDs to be transparently transmitted on the public network. page 32 _Conth © 22nd Co ik Algae Se nvawerThankiyY éu WWW huawei om