HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 406
195
1. Configure PE 1:
{ Configure GigabitEthernet 1/0/1:
# Configure GigabitEthernet 1/0/1 as a hybrid port to permit frames of VLAN 10 and VLAN
20 to pass through tagged, and frames of VLAN 100 and VLAN 200 to pass through
untagged.
system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid vlan 10 20 tagged
[PE1-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
[PE1-GigabitEthernet1/0/1] quit
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-405.png "Page 406
195
1. Configure PE 1:
{ Configure GigabitEthernet 1/0/1:
# Configure GigabitEthernet 1/0/1 as a hybrid port to permit frames of VLAN 10 and VLAN
20 to pass through tagged, and frames of VLAN 100 and VLAN 200 to pass through
untagged.
system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid vlan 10 20 tagged
[PE1-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
[PE1-GigabitEthernet1/0/1] quit
#...")
![Page 407
196
[PE1] traffic classifier A100
[PE1-classifier-A100] if-match customer-vlan-id 10
[PE1-classifier-A100] if-match service-vlan-id 100
[PE1-classifier-A100] quit
# Configure traffic behavior T100 to mark matching pac kets with CVLAN 30.
[PE1] traffic behavior T100
[PE1-behavior-T100] remark customer-vlan-id 30
[PE1-behavior-T100] quit
# Create class A200 and configure the class to match frames with CVLAN 20 and SVLAN
200.
[PE1] traffic classifier A200
[PE1-classifier-A200] if-match...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-406.png "Page 407
196
[PE1] traffic classifier A100
[PE1-classifier-A100] if-match customer-vlan-id 10
[PE1-classifier-A100] if-match service-vlan-id 100
[PE1-classifier-A100] quit
# Configure traffic behavior T100 to mark matching pac kets with CVLAN 30.
[PE1] traffic behavior T100
[PE1-behavior-T100] remark customer-vlan-id 30
[PE1-behavior-T100] quit
# Create class A200 and configure the class to match frames with CVLAN 20 and SVLAN
200.
[PE1] traffic classifier A200
[PE1-classifier-A200] if-match...")
![Page 408
197
[PE2-behavior-P100] quit
# Create class A40 and configure the class to match frames with CVLAN 40. Create traffic
behavior P200 and add the action of inserting outer VLAN tag 200.
[PE2] traffic classifier A40
[PE2-classifier-A40] if-match customer-vlan-id 40
[PE2-classifier-A40] quit
[PE2] traffic behavior P200
[PE2-behavior-P200] nest top-most vlan-id 200
[PE2-behavior-P200] quit
# Create a QoS policy named qinq, associate traffic class A30 with traffic behavior P100, and
associate...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-407.png "Page 408
197
[PE2-behavior-P100] quit
# Create class A40 and configure the class to match frames with CVLAN 40. Create traffic
behavior P200 and add the action of inserting outer VLAN tag 200.
[PE2] traffic classifier A40
[PE2-classifier-A40] if-match customer-vlan-id 40
[PE2-classifier-A40] quit
[PE2] traffic behavior P200
[PE2-behavior-P200] nest top-most vlan-id 200
[PE2-behavior-P200] quit
# Create a QoS policy named qinq, associate traffic class A30 with traffic behavior P100, and
associate...")
![Page 409
198
# Create a QoS policy named sqinq, associate traffic class A100 with traffic behavior T100,
and associate traffic class A200 with traffic behavior T200.
[PE2] qos policy sqinq
[PE2-qospolicy-sqinq] classifier A100 behavior T100
[PE2-qospolicy-sqinq] classifier A200 behavior T200
[PE2-qospolicy-sqinq] quit
# Apply QoS policy sqinq to the outgoing traffic on the port.
[PE2] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] qos apply policy sqinq outbound
# Set the TPID value in...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-408.png "Page 409
198
# Create a QoS policy named sqinq, associate traffic class A100 with traffic behavior T100,
and associate traffic class A200 with traffic behavior T200.
[PE2] qos policy sqinq
[PE2-qospolicy-sqinq] classifier A100 behavior T100
[PE2-qospolicy-sqinq] classifier A200 behavior T200
[PE2-qospolicy-sqinq] quit
# Apply QoS policy sqinq to the outgoing traffic on the port.
[PE2] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] qos apply policy sqinq outbound
# Set the TPID value in...")
![Page 416
205
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a class and enter class
view. traffic classifier
tcl-name [ operator
{ and | or } ]
Repeat these steps to configure
one class for each SVLAN.
3. Configure an SVLAN as the
match criterion. if-match service-vlan-id
vlan-id
4. Return to system view.
quit
5. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name
Repeat these steps to configure
a behavior for each...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-415.png "Page 416
205
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a class and enter class
view. traffic classifier
tcl-name [ operator
{ and | or } ]
Repeat these steps to configure
one class for each SVLAN.
3. Configure an SVLAN as the
match criterion. if-match service-vlan-id
vlan-id
4. Return to system view.
quit
5. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name
Repeat these steps to configure
a behavior for each...")
200 Figure 64 Application scenario of one-to-o ne and many-to-one VLAN mapping To further sub-classify each type of traffic by customer, perform one-to-one VLAN mapping on the wiring-closet switches, and assign a separate VLAN for each type of traffic from each customer. The re qu i re d to ta l nu m b e r of V L A N s i n t h e ne t wo rk c a n b e l a rg e. To p reve nt t h e m a xi mu m nu m b e r of V L A Ns from being exceeded on the distribution layer device, perform many-to-one VLAN mapping on the campus switch to assign the same type of traf fic from different customers to the same VLAN. Application scenario of two-to-two VLAN mapping Figure 65 shows a typical application scenario in which tw o remote sites of VPN A, Site 1 and Site 2, must communicate across two SP networks, SP 1 and SP 2. VLAN 101 - 102 - > VLAN 501 VLAN 201 - 202 - > VLAN 502 VLAN 301 - 302 - > VLAN 503 Campus switch Distribution network DHCP client DHCP server Wiring - closet switch VLAN 1 - > VLAN 101 VLAN 2 - > VLAN 201 VLAN 3 - > VLAN 301 VLAN 1 - > VLAN 102 VLAN 2 - > VLAN 202 VLAN 3 - > VLAN 302 PC VoD VoIP VLAN 2Home gateway VLAN 1 VLAN 3 PC VoD VoIP VLAN 2 Home gateway VLAN 1 VLAN 3 Wiring-closet switch VLAN 1 - > VLAN 199 VLAN 2 - > VLAN 299 VLAN 3 - > VLAN 399 VLAN 1 -> VLAN 200 VLAN 2 -> VLAN 300 VLAN 3 -> VLAN 400 PC VoD VoIP VLAN 2Home gateway VLAN 1 VLAN 3 PC VoD VoIP VLAN 2 Home gateway VLAN 1 VLAN 3 VLAN 199 - 200 - > VLAN 501 VLAN 299 - 300 - > VLAN 502 VLAN 399 - 400 - > VLAN 503
201 Figure 65 Application scenario of two-to-two VLAN mapping Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The VLAN assigned for VPN A is VLAN 10 in the SP 1 network and VLAN 20 in the SP 2 network. If Site 1 sends a packet to Site 2, the packet is processed on the way to its destination using the following workflow: 1. When the packet tagged with VLAN 2 arrives at the edge of network SP 1, PE 1 tags the packet with outer VLAN 10 through basic QinQ or selective QinQ. 2. When the double-tagged packet enters the SP 2 ne twork, PE 3 replaces the outer VLAN tag (VLAN 10) with VLAN 20. Because the packet is destined for Site 2 in VLAN 3, PE 3 also replaces the inner tag (VLAN 2) of the packet with VLAN 3. This process is two-to-two VLAN mapping. 3. When PE 4 receives the packet with the new VL AN tag pair, it removes the outer VLAN tag and forwards the packet to VLAN 3. For more information about basic QinQ and selection QinQ configurations, see Configuring QinQ. Concepts and terms Figure 66 shows a simplified network to help explain th e concepts and terms that you might encounter when you work with VLAN mapping. Figure 66 Basic concepts of VLAN mapping • Uplink traffic —Traffic transmitted from the customer network to the service provider network. PE 1 VPN A Site 1 SP 1 CE a1VPN A Site 2 SP 2 CE a2 DataVLAN 2 DataVLAN 10VLAN 2DataVLAN 20VLAN 3 DataVLAN 3 Traffic PE 2 PE 3 PE 4 QinQ or selective QinQTwo-to-two VLAN mappingQinQ or selective QinQ
202 • Downlink traffic —Traffic transmitted from the service provider network to the customer network. • Network-side port —A port connected to or closer to the service provider network. • Customer-side port—A port connected to or closer to the customer network. • Uplink policy —A QoS policy that defines VLAN mapping rules for uplink traffic. • Downlink policy—A QoS policy that defines VLAN mapping rules for downlink traffic. • Customer VLANs (CVLANs) —VLANs assigned for customers. • Service provider VLANs (SVLANs) —VLANs assigned for transmitting traffic across the service provider network. For more information about QoS policies, see ACL and QoS Configuration Guide. VLAN mapping implementations This section describes how VLAN mapping is implemented on your device. One-to-one VLAN mapping Implement one-to-one VLAN mapping on the customer-side port through the following configurations, as shown in Figure 67: • A pply an uplink policy to the incoming traffic, mapping each CVLAN ID to a unique SVLAN ID. When a packet arrives, the switch replaces its CVLAN ID with the matching SVLAN ID. • Apply a downlink policy to the outgoing traffic, mapping each SVLAN ID back to its corresponding CVLAN ID. When forwarding a packet out of the port, the switch replaces its SVLAN ID with the matching CVLAN ID. Figure 67 One-to-one VLAN mapping implementation Many-to-one VLAN mapping Implement many-to-one VLAN mapping through the following configurations, as shown in Figure 68: • A pply an uplink policy to the incoming traffic on the customer-side port to map different CVLAN IDs to one SVLAN ID. When a packet arrives, the switch replaces its CVLAN tag with the matching SVL AN tag. • Configure the network-side port as a DHCP snoopin g trusted port. For downlink traffic, the switch looks through the DHCP snooping table, and repl aces the SVLAN ID with the CVLAN ID found in the table.
203 Figure 68 Many-to-one VLAN mapping implementation Each DHCP snooping entry contains information about one DHCP client, including its IP address, MAC address, and CVLAN. For more information about DHCP snooping, see Layer 3—IP Services Configuration Guide . Two-to-two VLAN mapping Implement two-to-two VLAN mapping through the following configurations, as shown in Figure 69. • F or uplink traffic, apply an inbound policy on th e customer-side port to replace the SVLAN with a new SVLAN, and apply an outbound policy on the network-side port to replace the CVLAN with a new CVLAN. • For downlink traffic, apply an outbound policy on the customer-side port to replace the double tags with the original VLAN tag pair. Figure 69 Two-to-two VLAN mapping implementation VLAN mapping configuration tasks Use the VLAN mapping methods as appropriate to the rol e s o f y o u r s w i t c h e s i n t h e n e t w o r k , a s d e s c r i b e d in this table: Task Switch role Configuring one-to-one VLAN mapping Wiring-closet switch Configuring many-to-one VLAN mapping Campus switch Configuring two-to-two VLAN mapping Edge switch between SP networks Network-side port Customer-side portUplink trafficDownlink traffic SP network Outbound downlink policy SVLANDataCVLAN SVLANDataCVLAN Outbound uplink policyInbound uplink policy DataCVLAN’SVLAN’ DataCVLAN’SVLAN’ Customer network
204
Configuring one-to-one VLAN mapping
Perform one-to-one VLAN mapping on wiring-closet switches (see Figure 64) to iso late traffic by both user
and traffic type.
Perform these tasks to configure one-to-one VLAN mapping:
Task Description
Configuring an uplink policy Creates CVLAN-to-SVLAN mappings (required).
Configuring a downlink policy Creates SVLAN-to-CVLAN mappings (required).
Configuring the customer-side port Configures settings required for one-to-one VLAN mapping (required).
Configuring the network-side port Configures VLAN settings required for normal communication
(required).
Configuration prerequisites
Create CVLANs and SVLANs, and plan CVLAN-SVLAN mappings.
Configuring an uplink policy
To configure an uplink policy to map each CVLAN to a unique SVLAN:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Create a class and enter class
view. traffic classifier
tcl-name
[ operator { and | or } ]
Repeat these steps to configure one
class for each CVLAN.
3. Specify a CVLAN as the
match criterion. if-match customer-vlan-id
vlan-id
4. Return to system view.
quit
5. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name
Repeat these steps to configure one
behavior for each SVLAN.
6. Configure an SVLAN marking
action. remark service-vlan-id
vlan-id
7. Return to system view.
quit
8. Create a QoS policy and
enter QoS policy view. qos policy
policy-name N/A
9. Associate the class with the
behavior to map the CVLAN
to the SVLAN. classifier
tcl-name behavior
behavior-name Repeat this step to create other
CVLAN-to-SVLAN mappings.
Configuring a downlink policy
To configure a downlink policy to map SVLANs back to CVLANs:
205
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a class and enter class
view. traffic classifier
tcl-name [ operator
{ and | or } ]
Repeat these steps to configure
one class for each SVLAN.
3. Configure an SVLAN as the
match criterion. if-match service-vlan-id
vlan-id
4. Return to system view.
quit
5. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name
Repeat these steps to configure
a behavior for each CVLAN.
6. Configure a CVLAN marking
action. remark customer-vlan-id
vlan-id
7. Return to system view.
quit
8. Create a QoS policy and
enter QoS policy view. qos policy
policy-name N/A
9. Associate the class with the
behavior to map the SVLAN
to the CVLAN. classifier
tcl-name behavior
behavior-name Repeat this step to create other
CVLAN-to-SVLAN mappings.
Configuring the customer-side port
To configure the customer-side port:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter Ethernet interface view. interface
interface-type
interface-number N/A
3.
Configure the port as a trunk
port. port link-type
trunk The default link type of an Ethernet port is
access.
4. Assign the port to CVLANs
and SVLANs. port trunk permit vlan
{ vlan-id-list | all } By default, a trunk port is in only VLAN 1.
5.
Enable basic QinQ.
qinq enable By default, basic QinQ is disabled.
6. Apply the uplink policy to the
incoming traffic. qos apply policy
policy-name inbound N/A
7.
Apply the downlink policy to
the outgoing traffic. qos apply policy
policy-name outbound N/A
Configuring the network-side port
To configure the network-side port:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter Ethernet interface
view. interface
interface-type
interface-number N/A
206
Step Command Remarks
3. Configure the port as a
trunk port. port link-type
trunk The default link type of ports is access.
4. Assign the port to SVLANs. port trunk permit vlan
{ vlan-id-list | all } By default, a trunk port is in only VLAN 1.
Configuring many-to-one VLAN mapping
CAUTION:
Before changing VLAN mappings on a port,
clear all DHCP snooping entries by using the reset
dhcp-snooping command (see
Layer 3—IP Services Command Reference).
Perform many-to-one VLAN mapping on campus switches (see Figure 64) t o transmit the same type of
traffic from different users in one VLAN.
Perform these tasks to configure many-to-one VLAN mapping:
Task Description
Enabling DHCP snooping Enables DHCP snooping globally (required).
Enabling ARP detection in SVLANs Enables ARP detection in all SVLANs (required).
Configuring an uplink policy Configures an uplink policy for the customer-side port (required).
Configuring the customer-side port Configures VLAN and other settings required for many-to-one
VLAN mapping (required).
Configuring the network-side port Configures VLAN and other settings required for many-to-one
VLAN mapping (required).
Configuration prerequisites
Before configuring many-to-one VLAN mapping:
•
Make sure that all home users obtain IP addresses through DHCP. For how to assign IP addresses
through DHCP, see Layer 3—IP Services Configuration Guide .
• Create CVLANs and SVLANs, and plan CVLANs-to-SVLAN mappings.
Enabling DHCP snooping
To enable DHCP snooping:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable DHCP snooping.
dhcp-snooping Disabled by default.
207
Enabling ARP detection in SVLANs
The ARP detection function enables a switch to modify the VLAN attributes of ARP packets, which is
impossible under the normal ARP packet processi ng procedure. For more information about ARP
detection, see Security Configuration Guide .
To enable ARP detection in all SVLANs:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP detection.
arp detection enable Disabled by default.
NOTE:
To defend against ARP attacks, enable ARP detection also in all CVLANs.
Configuring an uplink policy
To configure an uplink policy to map a group of CVLANs to one SVLAN:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a class and enter class
view. traffic classifier
tcl-name operator
or
Repeat these steps to configure one
class for each group of CVLANs.
3. Configure multiple CVLANs
as match criteria. if-match customer-vlan-id
{
vlan-id-list | vlan-id1 to vlan-id2 }
4. Return to system view.
quit
5. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name
Repeat these steps to configure one
behavior for each SVLAN.
6. Configure an SVLAN
marking action. remark service-vlan-id
vlan-id
7. Return to system view.
quit
8. Create a QoS policy and
enter QoS policy view. qos policy
policy-name N/A
9. Map the CVLANs to the
SVLAN by associating the
class with the behavior. classifier
tcl-name behavior
behavior-name mode
dot1q-tag-manipulation Repeat this step to create other
CVLANs-to-SVLAN mappings.
Configuring the customer-side port
CAUTION:
Before applying a QoS policy to the customer-side
port, enable customer-side QinQ on the port. Before
disabling customer-side QinQ on the customer-side po rt, remove the QoS policy from the port first.
To configure the customer-side port:
208
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Ethernet interface view. interface
interface-type
interface-number N/A
3.
Configure the port as a trunk
port. port link-type
trunk The default link type of an Ethernet port is
access.
4.
Assign the port to CVLANs
and SVLANs. port trunk permit vlan
{ vlan-id-list | all } By default, a trunk port is in only VLAN 1.
5.
Enable customer-side QinQ.
qinq enable downlink By default, customer-side QinQ is disabled
on all ports.
6.
Apply the uplink policy to the
incoming traffic. qos apply policy
policy-name inbound N/A
Configuring the network-side port
To configure the network-side port:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter Ethernet interface view. interface
interface-type
interface-number N/A
3.
Configure the port as a trunk
port. port link-type
trunk The default link type of an Ethernet port is
access.
4.
Assign the port to SVLANs. port trunk permit vlan
{ vlan-id-list | all } By default, a trunk port is in only VLAN 1.
5.
Configure the port as a DHCP
snooping trusted port. dhcp-snooping trust By default, all ports are DHCP snooping
untrusted ports.
6.
Configure the port as an ARP
trusted port. arp detection trust
By default, all ports are ARP untrusted ports.
7. Enable network-side QinQ.
qinq enable uplink By default, network-side QinQ is disabled
on all ports.
Configuring two-to-two VLAN mapping
Perform two-to-two VLAN mapping on an edge device that connects two SP networks, for example, on
PE 3 in
Figure 65 . T
wo-to-two VLAN mapping enables two remote sites in different VLANs to
communicate at Layer 2 across two service provider networks that use different VLAN assignment
schemes.
For the ease of description, the VLAN tags of the double-tagged frames that arrive at the customer-side
port are called foreign CVLANs and SVLANs, and the VLAN tags marked by the edge device are called
local CVLANs and SVLANs.
Perform these tasks to configure two-to-two VLAN mapping:
209 Task Description Configuring an uplink policy for the customer-side port Replaces foreign SVLANs with local SVLANs for uplink traffic (required). Configuring an uplink policy for the network-side port Replaces foreign CVLANs with lo cal CVLANs for uplink traffic (required). Configuring a downlink policy for the customer-side port Replaces local SVLANs and CVLANs with foreign SVLANs and CVLANs (required). Configuring the customer-side port Configures VLAN and other settings required for two-to-two VLAN mapping (required). Configuring the network-side port Configures VLAN and other settings required for two-to-two VLAN mapping (required). Configuring an uplink policy for the customer-side port The uplink policy on the customer-side port mo difies the SVLAN ID of incoming traffic. To configure an uplink policy for the customer-side port: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a class and enter class view. traffic classifier tcl-name [ operator and ] Repeat these steps to create one class for each foreign CVLAN and SVLAN pair. 3. Specify a foreign CVLAN as a match criterion. if-match customer-vlan-id vlan-id 4. Specify a foreign SVLAN as a match criterion. if-match service-vlan-id vlan-id 5. Return to system view. quit 6. Create a traffic behavior and enter traffic behavior view. traffic behavior behavior-name Repeat these steps to configure one SVLAN marking action for each CVLAN and SVLAN pair. 7. Configure an SVLAN marking action to replace the foreign SVLAN ID with a local SVLAN ID. remark service-vlan-id vlan-id 8. Return to system view. quit 9. Create a QoS policy and enter QoS policy view. qos policy policy-name N/A 10. Associate the class with the behavior. classifier tcl-name behavior behavior-name Repeat this step to create other class-behavior associations. Configuring an uplink policy for the network-side port The uplink policy on the network-side port mo difies the CVLAN ID of incoming traffic. To configure an uplink policy for the network-side port: