01-06 QinQ Configuration

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration
6 QinQ Configuration
This chapter describes the concepts and configuration procedure of 802.1Q-

in-802.1Q (QinQ), and provides configuration examples.
6.1 Overview of QinQ

6.2 Understanding QinQ
6.3 Application Scenarios for QinQ
6.4 Licensing Requirements and Limitations for QinQ
6.5 Configuring QinQ
6.6 Configuration Examples for QinQ
6.1 Overview of QinQ
Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged
packets. A packet carries two 802.1Q tags: a public VLAN tag and a private VLAN
tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify
and isolate large numbers of users on metro Ethernet networks because the 12-bit
VLAN tag field defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs.
QinQ was developed to expand VLAN space beyond 4096 VLANs so that a larger
number of users can be identified on a metro Ethernet network.
QinQ was originally developed to expand VLAN space by adding an additional

802.1Q tag to an 802.1Q-tagged packet. In this way, the number of VLANs can
increase to 4094 x 4094 (values 0 and 4095 are reserved). Packets are forwarded
based on outer VLAN tags on the public network, and devices on the public
network add outer VLAN IDs to MAC address tables of the corresponding VLANs.
Inner VLAN tags of packets are transmitted as data on the public network.
Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 371

Switches
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined
service operation. The outer and inner VLAN tags can be used to differentiate
packets based on users and services. For example, the inner tag represents a user,
while the outer tag represents a service. Moreover, QinQ is used as a simple and
practical virtual private network (VPN) technology because inner tags of QinQ
packets are transparently transmitted over a public network. It extends core
multiprotocol label switching (MPLS) VPN services to metro Ethernet networks to
establish an end-to-end VPN.
Benefits
QinQ offers the following benefits:
● Extends VLANs to isolate and identify more users.
● Facilitates service deployment by allowing the inner and outer tags to
represent different information. For example, use the inner tag to identify a
user and the outer tag to identify a service.
6.2 Understanding QinQ
6.2.1 QinQ Fundamentals

QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an
802.1Q-tagged packet. Devices forward packets over the public network according
to outer VLAN tags of the packets, and learn MAC addresses from the outer VLAN
tags. The private VLAN tags in the packets are forwarded as payload of the
packets.
Figure 6-1 Typical QinQ application

VLAN 1~20 VLAN 1~10
CE2 CE3 CE4

Customer Customer
network B network A
VLAN 4 VLAN 3
PE1 Pubilc PE2

network
VLAN 3 VLAN 4
Customer Customer
network A network B
CE1 CE2
VLAN 1~10 VLAN 1~20

Switches
As shown in Figure 6-1, customer network A is divided into private VLANs 1 to 10,
and customer network B is divided into private VLANs 1 to 20. The carrier
allocates public VLANs 3 and 4 to customer networks A and B respectively. When
tagged packets from networks A and B arrive at the carrier network, the packets
are tagged outer VLANs 3 and 4. Therefore, the packets from different customer
networks are separated on the carrier network, even though the customer
networks use overlapping VLAN ranges. When the packets reach the PE on the
other side of the carrier network, the PE removes public VLAN tags from the
packets and forwards the packets to the CE of the respective customer network.
QinQ Packet Encapsulation Format

A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the
existing 802.1Q tag of the packet. QinQ allows overlaying of multiple tags.
NOTE
Because a QinQ packet has 4 more bytes than an 802.1Q packet, the maximum frame
length allowed by each interface on the carrier network should be at least 1504 bytes. The
default frame length allowed by interfaces of a switch is larger than 1504 bytes, so you do
not need to adjust it. For details on how to configure the frame length allowed by an
interface, see Setting the Jumbo Frame Length Allowed on an Interface.
Figure 6-2 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
QinQ
Encapsulation
DA SA 802.1Q TAG 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID Priority CFI VLAN ID
QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is
configured on an interface, the device adds the default VLAN tag of this
interface to all packets regardless of whether the packets carry VLAN tags.
– If a single-tagged packet is received, the packet becomes a double-
tagged packet.
– If an untagged packet is received, the packet is tagged with the default
VLAN ID of the local interface.
2. Selective QinQ

Switches
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an
interface can forward packets based on a single VLAN tag or double VLAN
tags. In addition, the device processes packets received on an interface as
follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN
IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets
according to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ
provides extensive service features and allows flexible networking.
QinQ Encapsulation
QinQ technology converts single-tagged packets into double-tagged packets.
QinQ is classified into basic QinQ and selective QinQ depending on the data
encapsulated:
● Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates
packets arriving at the same interface with the same outer VLAN tag, and
therefore cannot distinguish users and services at the same time.
● VLAN ID-based QinQ encapsulation
VLAN ID-based QinQ encapsulation, also called selective QinQ, encapsulates
packets with different outer tags to differentiate users.
● MQC-based QinQ encapsulation
MQC-based QinQ encapsulation, also called selective QinQ, classifies traffic
and encapsulates outer tags of matching data flows.
6.2.2 Basic QinQ

Basic QinQ is also called QinQ tunneling and is implemented based on interfaces.
Basic QinQ allows the device to add the default VLAN tag of an interface to a
packet received on the interface.
● If the received packet carries one VLAN tag, the packet then has double tags.
● If the received packet does not carry any VLAN tag, the packet then carries
the default VLAN tag of an interface.
6.2.3 Selective QinQ

Selective QinQ is more flexible than QinQ, and is also called VLAN stacking. In
addition to basic QinQ functions, selective QinQ can perform different actions for
packets from different VLANs, including:
● VLAN ID-based selective QinQ: adds different outer VLAN tags to packets
with different inner VLAN IDs.
● MQC-based selective QinQ: adds different outer tags to packets based on QoS
policies. MQC-based selective QinQ implements differentiated services.
Differences between basic QinQ and selective QinQ are as follows:
● Basic QinQ: adds the same outer tag to all the frames arriving at the Layer 2
QinQ interface.

Switches
● Selective QinQ: adds different outer tags to the frames with inner VLAN tags
or frames matching traffic classification rules. VLAN assignment is more
accurate.
6.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The
TPID value defined in IEEE 802.1Q is 0x8100.
Figure 6-3 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE
802.1Q tag lies between the Source Address field and the Length/Type field. A
device determines whether packets carry the specified VLAN tag according to the
TPID. When an interface receives a packet, the device compares the configured
TPID with that in the packet. If they are the same, the packet carries the VLAN
tag. If they are different, the packet does not carry the VLAN tag.
Figure 6-3 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG Length/Type Data FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID
3bits 1bit 12bits
To implement interoperation between QinQ-capable devices of different vendors,

devices of different vendors use 0x8100 as the inner TPID value but may use
different outer TPID values. You can set the TPID value in outgoing QinQ packets
sent from Huawei devices to the TPID value used by non-Huawei devices so that
the Huawei and non-Huawei devices can communicate.
6.3 Application Scenarios for QinQ
6.3.1 Application of Basic QinQ

As shown in Figure 6-4, tenant 1 and tenant 2 in a data center are located in
different positions, and are connected to SwitchA and SwitchB on the core/
backbone network. To ensure security of services and save core/backbone network
VLAN IDs, traffic between two tenants needs to be transparently transmitted
through the core/backbone network, tenants using the same service in different
branches are allowed to communicate, and tenants using different services need
to be isolated. Basic QinQ is configured to meet the preceding requirements.

Switches
Figure 6-4 Networking of basic QinQ
SwicthA SwicthB
Interface3 Core/Backbone Interface3
network
Interface1 Interface2 Interface1 Interface2
Tenant1 Tenant2 Tenant1 Tenant2

VLAN2- VLAN1000- VLAN100- VLAN500-
VLAN500 VLAN2000 VLAN500 VLAN2500
Table 6-1 describes VLAN assignment for tenant 1 and tenant 2.
Table 6-1 VLAN assignment for tenant 1 and tenant 2

Tenant Name VLAN ID Range Outer VLAN ID
Tenant 1 2 to 500 10
Tenant 2 500 to 2500 20
Configure QinQ on SwitchA and SwitchB so that tenants using the same service in
different branches are allowed to communicate and tenants using different
services need to be isolated.
● Configure SwitchA to encapsulate outer VLAN 10 to packets entering
Interface1 and outer VLAN 20 to packets entering Interface2.
● Configure SwitchB to encapsulate outer VLAN 10 to packets entering
Interface1 and outer VLAN 20 to packets entering Interface2.
● Configure Interface3 on SwitchA and SwitchB to allow packets from VLAN 10
and VLAN 20.
6.3.2 Application of VLAN ID-based Selective QinQ

As shown in Figure 6-5, in a data center, tenants lease office and production
service servers. Production services are transmitted in VLANs 10 to 30, and office
services are transmitted in VLANs 31 to 50. Tenants are located in positions A and
B, and tenant devices are connected through SwitchA and SwitchB of the core/

Switches
backbone network. To ensure service security and save VLAN IDs of the core/
backbone network, it is required that traffic in positions A and B be transmitted
through the core/backbone network, users using the same service be allowed to
communicate, and users using different services be isolated. You can configure
VLAN ID-based selective QinQ to meet the requirements.
Figure 6-5 Networking of VLAN ID-based selective QinQ

SwicthA SwicthB
Interface2 Core/Backbone Interface2
Network
Interface1 Interface1
User
User
VLAN10~
VLAN10~
VLAN50
VLAN50
A Manufacturing Service: VLAN10 ~ VLAN30 B

Office Service: VLAN31 ~ VLAN50
Table 6-2 shows the planning of outer VLAN IDs.
Table 6-2 VLAN assignment of tenants
Service Name Range of VLAN IDs Outer VLAN
Production service 10-30 100
Office service 31-50 200
Configure selective QinQ on SwitchA and SwitchB so that users using the same
service in different branches are allowed to communicate, and users using
different services are isolated.
● On SwitchA, add VLAN 100 to packets that have inner VLAN IDs 10 to 30 and
enter Interface1, and VLAN 200 to packets that have inner VLAN IDs 31 to 50
and enter Interface1.
● On SwitchB, add VLAN 100 to packets that have inner VLAN IDs 10 to 30 and
enter Interface1, and VLAN 200 to packets that have inner VLAN IDs 31 to 50
and enter Interface1.
● Configure Interface2 on SwitchA and SwitchB to allow packets from VLAN 100
and VLAN 200.

Switches
6.3.3 Application of MQC-based Selective QinQ

As shown in Figure 6-6, video and data information is stored on the servers. A
user device transmits IPTV and Internet access services, and connects to the server
through the enterprise backbone network. SwitchB and SwitchC are edge devices
of the enterprise backbone network. To save VLAN IDs on the enterprise backbone
network, traffic needs to be transparently transmitted on the enterprise backbone
network. In addition, IPTV services need to be transmitted only on the video
server, Internet access services need to be transmitted only on the data server, and
different services need to be differentiated. MQC-based Selective QinQ can be
configured on SwitchB and SwitchC to meet the preceding requirements.
Figure 6-6 Networking of MQC-based selective QinQ

Video
server
SwitchA SwitchB SwitchC SwitchD

Enterprise IPTV
Backbone
Data Network
server
PC
6.4 Licensing Requirements and Limitations for QinQ
Involved Network Elements

Other network elements are not required.
Licensing Requirements
QinQ is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.
Version Requirements
Table 6-3 Products and minimum version supporting QinQ
Product Minimum Version Required
CE8860EI V100R006C00
CE8861EI/CE8868EI V200R005C10

Switches
Product Minimum Version Required
CE8850-32CQ-EI V200R002C50
CE8850-64CQ-EI V200R005C00
CE7850EI V100R003C00
CE7855EI V200R001C00
CE6810EI V100R003C00
CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI
CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI
CE6850EI V100R001C00
CE6850-48S6Q-HI V100R005C00
CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI
CE6855HI V200R001C00
CE6856HI V200R002C50
CE6857EI V200R005C10
CE6860EI V200R002C50
CE6865EI V200R005C00
CE6870-24S6CQ-EI V200R001C00
CE6870-48S6CQ-EI V200R001C00
CE6870-48T6CQ-EI V200R002C50
CE6875-48S4CQ-EI V200R003C00
CE6880EI V200R002C50
CE5810EI V100R002C00
CE5850EI V100R001C00
CE5850HI V100R003C00
CE5855EI V100R005C10
CE5880EI V200R005C10
NOTE
For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Switches
Feature Limitations
● Selective QinQ based on the VLAN ID can be only enabled on hybrid or trunk
interfaces in the inbound direction.
● The outer VLAN ID must exist and the interface must be added to the outer
VLAN in untagged mode.
● The interface learns the MAC address in the VLAN specified by the outer
VLAN tag of packets.
● The MUX VLAN and selective QinQ based on the VLAN ID cannot be
configured on the same interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN for selective QinQ.
● If forwarding resources exceed the specifications, VLAN stacking can be
configured. However, after the device restarts, the invalid VLAN stacking
configuration may become valid and valid VLAN stacking configuration may
become invalid.
● If VLAN stacking is configured on an interface corresponding to the VLAN,
VBST negotiation for this VLAN will fail.
● QinQ cannot be used with features such as DHCP, ARP, and IGMP.
● Starting from V200R003C00, for the CE6875EI and CE6870EI, when original
packets carry two or three VLAN tags and the device is configured with IPv6
VXLAN and VLAN stacking, tags in forwarded packets are incorrect. Please
deploy VLAN stacking on the neighboring device.
● The original VLAN specified in the port vlan-stacking command cannot be
the same as the outer VLAN configured on a QinQ Layer 2 sub-interface.
● For the CE6857EI, CE6865EI, CE8861EI, and CE8868EI, no extra VLAN tag can
be added to the original double-tagged packets, even if VLAN stacking is
configured.
● M-LAG cannot be configured together with VLAN Mapping or VLAN Stacking.
6.5 Configuring QinQ
6.5.1 Configuring Basic QinQ
Context
Basic QinQ enables the device to add a public tag to incoming packets so that
user packets can be forwarded on the public network. To separate private
networks from public networks and conserve VLAN resources, configure double
802.1Q tags on QinQ interfaces of the device. Inner VLAN tags are used on
internal networks and outer VLAN tags are used on external networks. QinQ
expands VLAN space to 4094x4094 VLANs and allows packets on different private
networks with the same VLAN IDs to be transparently transmitted.

Switches
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN used on the public network is created.
Step 3 Run quit
Exit from the VLAN view.
Step 4 Run interface interface-type interface-number
The interface view is displayed.
The interface can be a physical interface or an Eth-Trunk interface.
Step 5 Run port link-type dot1q-tunnel
The link type of the interface is set to Dot1q-tunnel.
By default, the link type of an interface is access. Dot1q-tunnel interfaces do not

support Layer 2 multicast.
Step 6 Run port default vlan vlan-id
The VLAN ID of the public VLAN tag, that is, the default VLAN of the interface, is
configured.
By default, VLAN 1 is the default VLAN of all interfaces.
Step 7 Run commit
The configuration is committed.
----End
Verifying the Configuration

● Run the display current-configuration interface interface-type interface-
number command to check the QinQ configuration on the interface.
6.5.2 Configuring Selective QinQ

Selective QinQ adds different outer VLAN tags to packets with different inner
VLAN tags on an interface, and is more flexible than QinQ.
6.5.2.1 Configuring VLAN ID-based Selective QinQ
Context
Selective QinQ based on the VLAN ID enables the device to add different outer
VLAN tags to received data frames according to VLAN IDs in the frames.

Switches
NOTE
● Selective QinQ based on the VLAN ID can be only enabled on hybrid or trunk interfaces
in the inbound direction.
● The outer VLAN ID must exist and the interface must be added to the outer VLAN in
untagged mode.
● The interface learns the MAC address in the VLAN specified by the outer VLAN tag of
packets.
● The MUX VLAN and selective QinQ based on the VLAN ID cannot be configured on the
same interface.
● The original VLAN specified in the port vlan-stacking command cannot be the same as
the outer VLAN configured on a QinQ Layer 2 sub-interface.
Procedure
Step 3 Run port link-type { hybrid | trunk }
The link type of the interface is configured as hybrid or trunk.
By default, the link type of an interface is access.
Step 4 Add the interface to a VLAN.
Run the following command as required.
● Trunk interface
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-40> |
all } command to add the trunk interface to the stacked VLAN.
● Hybrid interface
Run the port hybrid untagged vlan vlan-id command to add the hybrid
interface to the stacked VLAN in untagged mode.
The VLAN ID specified by vlan-id must already exist on the device. The original
VLAN can be not created.
Step 5 Run port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
[ remark-8021p 8021p-value ]
Selective QinQ based on the VLAN ID is configured.

Switches
NOTE
If the port vlan-stacking command has been executed at least three times with specified
VLAN ranges and VLAN ranges are combined twice at least, the configuration of each
command must be committed. Otherwise, packets may be lost. For example, when port
vlan-stacking vlan 31 to 60 stack-vlan 100, port vlan-stacking vlan 20 to 30 stack-vlan
100, and port vlan-stacking vlan 61 to 70 stack-vlan 100 commands are used, VLAN
ranges 20 to 60 and 20 to 70 are combined twice. Therefore, commit the configuration of
each command.
For the CE6865EI, CE6857EI, CE8861EI, and CE8868EI, the qinq protocol and port vlan-
stacking commands cannot be configured together.
Step 6 Run commit

----End

● Run the display current-configuration interface interface-type interface-
number command to check the configuration of selective QinQ based on the
VLAN ID on the interface.
6.5.2.2 Configuring MQC-based Selective QinQ
Context
MQC-based selective QinQ uses a traffic classifier to classify packets based on
VLAN IDs and associates the traffic classifier with a traffic behavior that defines
the action of adding outer VLAN tags, so that the device can add outer VLAN tags
to packets matching the traffic classifier.
NOTE
The CE6870EI and CE6875EI do not support this function.
Procedure
1. Configure a traffic classifier.
a. Run system-view
b. Run traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.
and is the logical operator between rules in a traffic classifier, which
means that:
▪ If a traffic classifier contains ACL rules, packets match the traffic

classifier only if they match one ACL rule and all the non-ACL rules.
▪ If a traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match a traffic classifier if
they match one or more rules in the classifier.

Switches
By default, the relationship between rules in a traffic classifier is or.

c. Run if-match
Matching rules are defined for the traffic classifier.
For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine 8800, 7800,
6800, and 5800 Series Switches Configuration Guide - QoS Configuration
Guide.
d. Run commit
e. Run quit
Exit from the traffic behavior view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or
the view of an existing traffic behavior is displayed.
b. Run vlan-stacking vlan vlan-id
An action of adding an outer VLAN tag is configured in the traffic
behavior.
c. Run commit
d. Run quit
Exit from the traffic behavior view.
e. Run quit
Exit from the system view.
3. Configure a traffic policy.
a. Run system-view
b. Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed.
c. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in the traffic policy.
d. Run commit
e. Run quit
Exit from the traffic policy view.
f. Run quit
Exit from the system view.
4. Apply the traffic policy.

Switches
NOTE
● A traffic policy containing vlan-stacking cannot be applied to the outbound

direction.
● For details about the configuration guidelines of applying traffic policies in
different views on the CE switches excluding CE6870EI and CE6875EI, see Licensing
Requirements and Limitations for MQC (CE Switches Excluding the CE6870EI and
CE6875EI).
● For switches excluding the CE5880EI and CE6880EI, run the display traffic-policy
pre-state { global [ slot slot-id ] | interface { interface-type interface-number } |
vlan vlan-id | bridge-domain bd-id } policy-name { inbound | outbound }
command before committing the configuration to check the information about
resources occupied by the traffic policy to be applied and determine whether the
traffic policy can be successfully applied based on the information.
● If a traffic policy needs to be applied to multiple VLANs and interfaces or multiple
traffic classifiers for matching packets from different source IP addresses need to
be bound to the same traffic policy, you are advised to add these VLANs, source IP
addresses, and interfaces to the same QoS group and apply the traffic policy to the
QoS group.
– Applying a traffic policy to an interface
i. Run system-view
ii. Run interface interface-type interface-number
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the interface in the inbound direction.
iv. Run commit
– Applying a traffic policy to a VLAN
i. Run system-view
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the VLAN in the inbound direction.
After a traffic policy is applied to a VLAN, the system performs traffic
policing for the packets that come from the VLAN and match traffic
classification rules in the inbound direction.
iv. Run commit
– Applying a traffic policy to the system
i. Run system-view
ii. Run traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.
iii. Run commit

Switches

– Applying a traffic policy to a QoS group
i. Run system-view
ii. Run qos group group-name
The QoS group view is displayed.
iii. Run the following commands as required.
○ Run the group-member interface { interface-type interface-
number1 [ to interface-type interface-number2 ] } &<1-8>
command to add interfaces to the QoS group.
○ (For CE5880EI, CE6870EI, CE6875EI and CE6880EI) Run the
group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
command to add VLANs to the QoS group.
○ ( For CE Switches Excluding CE6870EI and CE6875EI) Run the
group-member ip source ip-address { mask | mask-length }
command to add source IP addresses to the QoS group.
iv. Run traffic-policy policy-name inbound
A traffic policy is applied to a QoS group.
v. Run commit

● Run the display traffic classifier [ classifier-name ] command to check the
traffic classifier configuration.
● Run the display traffic behavior [ behavior-name ] command to check the
traffic behavior configuration on the device.
● Run the display traffic policy [ policy-name [ classifier classifier-name ] ]
command to check the traffic policy configuration.
● Run the display traffic-policy applied-record [ policy-name ] [ global [ slot
slot-id ] | interface interface-type interface-number | vlan vlan-id | vpn-
instance vpn-instance-name | qos group group-id | bridge-domain bd-id ]
[ inbound | outbound ] command to check the application records of a
specified traffic policy.
NOTE
The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI do
not support the bridge-domain bd-id command.
● Run the display system tcam fail-record [ slot slot-id ] command to display
TCAM delivery failures.
● Run the display system tcam service brief [ slot slot-id ] command to
display the group index and rule count occupied by different services.
● Run the display system tcam service { cpcar slot slot-id | service-name slot
slot-id [ chip chip-id ] } command to display IDs of entries delivered by
services on the specified chip or in the specified slot.

Switches
● Run one of the following commands to display data of a traffic policy that
has been applied:
– display system tcam service traffic-policy { global | vlan vlan-id |
interface interface-type interface-number | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id } policy-name
{ inbound | outbound } [ slot slot-id [ chip chip-id ] ]
NOTE
The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI
do not support the bridge-domain bd-id command.
– display system tcam service traffic-policy slot slot-id policy-name
{ inbound | outbound } [ chip chip-id ]
● (Models excluding the CE5880EI, CE6870EI, CE6875EI, and CE6880EI) Run the
display system tcam match-rules slot slot-id [ [ ingress | egress | group
group-id ] | [ delay-time time-value ] ] * command to display matched
entries.
● (For the CE6870EI and CE6875EI) Run the display system tcam match-rules
slot slot-id [ [ ingress | egress | group group-id ] | [ chip chip-id ] ] *
command to display matched entries.
● (For the CE5880EI and CE6880EI) Run the display system tcam match-rules
slot slot-id chip chip-id index index-id command to display matched entries.
6.5.3 Configuring the TPID Value in an Outer VLAN Tag
Context
To enable interoperation between devices from different vendors, set the same
TPID value in outer VLAN tags on the devices. Devices from different vendors or in
different network plans may use different TPID values in VLAN tags of VLAN
packets. To adapt to an existing network plan, the switch supports TPID value
configuration. You can set the TPID value on the switch to be the same as the
TPID value in the network plan to ensure compatibility with the current network.
NOTE
● To implement interoperability with a non-Huawei device, ensure that the protocol type
in the outer VLAN tag added by the switch can be identified by the non-Huawei device.
● The qinq protocol command identifies incoming packets, and adds or changes the TPID
value of outgoing packets.
● For the CE6865EI, CE6857EI, CE8861EI, and CE8868EI, the qinq protocol and port vlan-
stacking commands cannot be configured together.
Procedure

Switches
Step 3 Run qinq protocol protocol-id

The protocol type in the outer VLAN tag is set.
The qinq protocol command cannot be used on Dot1q-tunnel interfaces.
The TPID value can be 0x8100, 0x9100, or 0x88a8.
By default, the TPID value in the outer VLAN tag is 0x8100.
Step 4 Run commit
----End
6.6 Configuration Examples for QinQ

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.
6.6.1 Example for Configuring Basic QinQ
Networking Requirements
As shown in Figure 6-7, tenant 1 and tenant 2 in a data center are located in
different positions. SwitchA and SwitchB are at the edge of the data center and
connected through the core/backbone network.
The requirements are as follows:
● Tenant 1 and tenant 2 plan their VLANs independently.
● Traffic of the two tenants is transparently transmitted on the core/backbone
network. Devices using the same services in the two branches are allowed to
communicate and devices using different services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 and VLAN
200 provided by the core/backbone network can be used to implement
communication of tenant 1 and tenant 2 respectively.
Figure 6-7 Networking diagram for configuring QinQ
SwitchA 10GE1/0/3 SwitchB

Core/Backbone 10GE1/0/3
network
VLAN 100,200 10GE1/0/1
10GE1/0/1 10GE1/0/2 10GE1/0/2
Tenant1 Tenant2 Tenant1 Tenant2

VLAN10~ VLAN20~ VLAN10~ VLAN20~
VLAN50 VLAN60 VLAN50 VLAN60

Switches
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB, and set the
link type of interfaces connected to tenants to QinQ and add the interfaces to
VLAN so that different outer VLAN tags are added to different tenants.
2. Add interfaces connected to the core/backbone network on SwitchA and
SwitchB to VLAN 100 and VLAN 200 to permit packets from these VLANs to
pass through.
Procedure
Step 1 Create VLANs.
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 100 200
[*SwitchA] commit
# Create VLAN 100 and VLAN 200 on SwitchB.

[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 100 200
[*SwitchB] commit
Step 2 Set the link type of interfaces to QinQ.

# Configure 10GE1/0/1 and 10GE1/0/2 on SwitchA as QinQ interfaces, and set
outer VLAN tags of 10GE1/0/1 and 10GE1/0/2 to VLAN 100 and VLAN 200
respectively. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type dot1q-tunnel
[*SwitchA-10GE1/0/1] port default vlan 100
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] port link-type dot1q-tunnel
[*SwitchA] commit
Step 3 Configure the interface connected to the core/backbone network on the switch.
# Add 10GE1/0/3 on SwitchA to VLAN 100 and VLAN 200. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 100 200
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit
Step 4 Verify the configuration.

On a server in a VLAN of tenant 1, ping another server in the same VLAN. The
ping operation succeeds, indicating that devices in tenant 1 can communicate with
each other.

Switches
ping operation succeeds, indicating that devices in tenant 2 can communicate with
each other.
ping operation fails, indicating that tenants are isolated.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface 10GE1/0/2
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 200
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
6.6.2 Example for Configuring VLAN ID-based Selective QinQ

As shown in Figure 6-8, in a data center, tenants lease office and production
service servers. Production services are transmitted in VLANs 10 to 30, and office
services are transmitted in VLANs 31 to 50. Tenants are located in positions A and
B, and tenant devices are connected through SwitchA and SwitchB of the core/
backbone network. The following requirements need to be met to ensure service
security and save VLAN IDs of the core/backbone network:
● Traffic in positions A and B is transmitted through the core/backbone
network.

Switches
● Devices transmitting the same service are allowed to communicate, and

devices transmitting different services are isolated.
Figure 6-8 Networking for configuring VLAN ID-based selective QinQ
SwitchA SwitchB
10GE1/0/2 Core/Backbone 10GE1/0/2
Network
VLAN100
VLAN200
10GE1/0/1 10GE1/0/1
User
User
VLAN10~
VLAN10~
VLAN50
VLAN50
Manufacturing Service: VLAN10 ~ VLAN30
A Office Service: VLAN31 ~ VLAN50 B
You can configure VLAN ID-based selective QinQ to meet the preceding
requirements. Production service servers communicate in VLAN 100 and office
service servers communicate in VLAN 200 of the core/backbone network, and
different service servers are isolated.
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, and configure
selective QinQ on interfaces of SwitchA and SwitchB so that different VLAN
tags are added to different packets of services.
2. Add interfaces of SwitchA and SwitchB connected to the core/backbone
network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed
to pass through.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.
[*HUAWEI] commit
[*SwitchA] commit
# Create VLAN 100 and VLAN 200 on SwitchB.


Switches
[*HUAWEI] commit
[*SwitchB] commit
Step 2 Configure selective QinQ on interfaces.

# Configure 10GE1/0/1 on SwitchA.
[~SwitchA-10GE1/0/1] port link-type hybrid
[*SwitchA-10GE1/0/1] port hybrid untagged vlan 100 200
[*SwitchA-10GE1/0/1] port vlan-stacking vlan 10 to 30 stack-vlan 100
[*SwitchA-10GE1/0/1] port vlan-stacking vlan 31 to 50 stack-vlan 200
[*SwitchA] commit
# Configure 10GE1/0/1 on SwitchB.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type hybrid
[*SwitchB-10GE1/0/1] port hybrid untagged vlan 100 200
[*SwitchB-10GE1/0/1] port vlan-stacking vlan 10 to 30 stack-vlan 100
[*SwitchB-10GE1/0/1] port vlan-stacking vlan 31 to 50 stack-vlan 200
[*SwitchB-10GE1/0/1] quit
[*SwitchB] commit
Step 3 Configure interfaces of SwitchA and SwitchB connected to the core/backbone

network.
# Add 10GE1/0/2 on SwitchA to VLAN 100 and VLAN 200. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

From a production service server in VLANs 10 to 30 in position A, ping a
production service server in the same VLAN in position B. The ping operation
succeeds, indicating that production service servers can communicate with each
other.
From an office service server in VLANs 31 to 50 in position A, ping an office
service server in the same VLAN in position B. The ping operation succeeds,
indicating that office service servers can communicate with each other.
From a production service server in VLANs 10 to 30 in position A, ping an office
service server in VLANs 31 to 50 in position B. The ping operation fails, indicating
that services are isolated.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type hybrid

Switches
port hybrid untagged vlan 100 200

port vlan-stacking vlan 10 to 30 stack-vlan 100
#
interface 10GE1/0/2
#
return
● Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 100 200
#
interface 10GE1/0/1
port hybrid untagged vlan 100 200
#
interface 10GE1/0/2
#
return
6.6.3 Example for Configuring MQC-based Selective QinQ
As shown in Figure 6-9, servers on a data center network store video and data
information. The MAC addresses of data and video servers are 0003-0003-0003
and 0004-0004-0004 respectively. A school network transmits teachers' office and
multimedia services, and servers are connected through the enterprise backbone
network. The enterprise backbone network allocates VLAN 2 to teachers' office
service and VLAN 3 to multimedia service. SwitchB and SwitchC are edge devices
of the enterprise backbone network.
The requirements are as follows:
● Video and data servers are allocated to different VLANs, so they do not affect
each other.
● Traffic is transparently transmitted on the enterprise backbone network.
Teachers' office service is only transmitted to the data server and multimedia
service is only transmitted to the video server so that services can be
differentiated.
MQC-based selective QinQ can be configured on SwitchB to meet the preceding
requirements.

Switches
Figure 6-9 Networking of MQC-based selective QinQ

VLAN200
Data server
10
GE
/2
1/0
1/
SwitchA SwitchB SwitchC SwitchD E
0/
0G
2
Enterprise 1
10GE1/0/1 10GE1/0/2 Teachers' VLAN200
Backbone office
10GE1/0/1 Network 10GE1/0/1
Video server 10
/3 10GE1/0/2 VLAN2,3 10GE1/0/1 GE
E1/0 1 /0/
10G 3
VLAN300
Traffic direction
Multimedia VLAN300
room
Campus
1. Create VLANs on SwitchB and configure SwitchB to add different VLAN tags
to packets of different services.
2. Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy
on SwitchB.
3. Apply the traffic policy to interfaces of SwitchB to implement selective QinQ.
Procedure
# Create VLAN 200 and VLAN 300 on SwitchA and add interfaces connected to
servers to VLAN 200 and VLAN 300. The configuration of SwitchD is similar to the
configuration of SwitchA, and is not mentioned here.
[*HUAWEI] commit
[*SwitchA] commit
# On SwitchB, create VLAN 2 and VLAN 3, that is, outer VLAN IDs added to
packets.
[*HUAWEI] commit
[*SwitchB] commit
# On SwitchC, create VLAN 2 and VLAN 3.

[~HUAWEI] sysname SwitchC
[*HUAWEI] commit

Switches
[~SwitchC] vlan batch 2 3

[*SwitchC] commit
Step 2 Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy on
SwitchB.
[~SwitchB] traffic classifier name1
[*SwitchB-classifier-name1] if-match source-mac 0003-0003-0003
[*SwitchB-classifier-name1] quit
[*SwitchB] traffic behavior name1
[*SwitchB-behavior-name1] vlan-stacking vlan 2
[*SwitchB-behavior-name1] quit
[*SwitchB] traffic classifier name2
[*SwitchB-classifier-name2] if-match source-mac 0004-0004-0004
[*SwitchB-classifier-name2] quit
[*SwitchB] traffic behavior name2
[*SwitchB-behavior-name2] vlan-stacking vlan 3
[*SwitchB-behavior-name2] quit
[*SwitchB] traffic policy name1
[*SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[*SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[*SwitchB-trafficpolicy-name1] quit
[*SwitchB] commit
Step 3 Apply the traffic policy on SwitchB to implement selective QinQ.
# Configure 10GE1/0/1 on SwitchB.

[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 2 3
[*SwitchB-10GE1/0/1] traffic-policy name1 inbound
[*SwitchB] commit
# Configure 10GE1/0/1 on SwitchC.

[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port link-type hybrid
[*SwitchC-10GE1/0/1] port hybrid untagged vlan 2 3
[*SwitchC-10GE1/0/1] quit
[*SwitchC] commit
Step 4 Configure other interfaces.
# Add 10GE 1/0/1 on SwitchA to VLAN 200 and VLAN 300. The configuration of
SwitchD is similar to the configuration of SwitchA, and is not mentioned here.
[*SwitchA] commit
# Add 10GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.

[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2 3
[*SwitchB] commit
# Add 10GE1/0/2 on SwitchC to VLAN 2 and VLAN 3.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type hybrid
[*SwitchC-10GE1/0/2] port hybrid untagged vlan 2 3
[*SwitchC-10GE1/0/2] quit
[*SwitchC] commit

Switches

● Ping a teacher's office PC from the data server. The ping operation succeeds,
indicating that the teacher's office PC can access the data server.
● Ping a PC in the multimedia room from the video server. The ping operation
succeeds, indicating that the PC can access the video server.
Here, the ping to a teacher's office PC from the data server is used as an example.
The data server and teacher's office PC are configured on the same network
segment. For example, the IP address of the data server is 172.16.0.1/16, and the
IP address of the teacher's office PC is 172.16.0.7/16. Assume that the PC runs the
Window XP operating system.
C:\Documents and Settings\Administrator> ping 172.16.0.7
Pinging 172.16.0.7 with 32 bytes of data:
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.0.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 200 300
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 3
#
traffic classifier name1 type or
if-match source-mac 0003-0003-0003 ffff-ffff-ffff
#
traffic classifier name2 type or
if-match source-mac 0004-0004-0004 ffff-ffff-ffff
#
traffic behavior name1
vlan-stacking vlan 2
#
traffic behavior name2
vlan-stacking vlan 3
#
traffic policy name1

Switches
classifier name1 behavior name1 precedence 5

classifier name2 behavior name2 precedence 10
#
interface 10GE1/0/1
port trunk allow-pass vlan 2 to 3
traffic-policy name1 inbound
#
interface 10GE1/0/2
port trunk allow-pass vlan 2 to 3
#
return
● SwitchC configuration file

#
sysname SwitchC
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port hybrid untagged vlan 2 to 3
#
interface 10GE1/0/2
port hybrid untagged vlan 2 to 3
#
return
● SwitchD configuration file

#
sysname SwitchD
#
vlan batch 200 300
#
interface 10GE1/0/1
#
interface 10GE1/0/2
port trunk allow-pass vlan 200
#
interface 10GE1/0/3
port trunk allow-pass vlan 300
#
return

01-06 QinQ Configuration

Uploaded by

Copyright:

Available Formats

You might also like

01-06 QinQ Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-06 QinQ Configuration

Uploaded by

Copyright:

Available Formats

CloudEngine 8800, 7800, 6800, and 5800 Series

This chapter describes the concepts and configuration procedure of 802.1Q-

6.1 Overview of QinQ

6.1 Overview of QinQ

QinQ was originally developed to expand VLAN space by adding an additional

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 371

6.2 Understanding QinQ

6.2.1 QinQ Fundamentals

Figure 6-1 Typical QinQ application

CE2 CE3 CE4

PE1 Pubilc PE2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 372

QinQ Packet Encapsulation Format

Figure 6-2 802.1Q encapsulation

TPID Priority CFI VLAN ID

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 373

6.2.2 Basic QinQ

6.2.3 Selective QinQ

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 374

Figure 6-3 802.1Q encapsulation

TPID 2 Bytes TCI 2 Bytes

To implement interoperation between QinQ-capable devices of different vendors,

6.3 Application Scenarios for QinQ

6.3.1 Application of Basic QinQ

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 375

Figure 6-4 Networking of basic QinQ

Tenant1 Tenant2 Tenant1 Tenant2

Table 6-1 describes VLAN assignment for tenant 1 and tenant 2.

Table 6-1 VLAN assignment for tenant 1 and tenant 2

Tenant 2 500 to 2500 20

6.3.2 Application of VLAN ID-based Selective QinQ

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 376

Figure 6-5 Networking of VLAN ID-based selective QinQ

A Manufacturing Service: VLAN10 ~ VLAN30 B

Table 6-2 shows the planning of outer VLAN IDs.

Table 6-2 VLAN assignment of tenants

Service Name Range of VLAN IDs Outer VLAN

Production service 10-30 100

Office service 31-50 200

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 377

6.3.3 Application of MQC-based Selective QinQ

Figure 6-6 Networking of MQC-based selective QinQ

SwitchA SwitchB SwitchC SwitchD

6.4 Licensing Requirements and Limitations for QinQ

Involved Network Elements

Table 6-3 Products and minimum version supporting QinQ

Product Minimum Version Required

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 378

Product Minimum Version Required

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 379

6.5 Configuring QinQ

6.5.1 Configuring Basic QinQ

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 380

The system view is displayed.

Step 2 Run vlan vlan-id

A VLAN used on the public network is created.

Step 3 Run quit

Exit from the VLAN view.

Step 4 Run interface interface-type interface-number