Shulou(Shulou.com)06/01 Report--

Application scenarios of QinQ technology:

Each user in the operator's network needs to be put into a separate VLAN in order to isolate each user, but because there are only 12 bits of VLAN TAG in 802.1q, the maximum number of vlan can not meet the isolation needs of a large number of users in the metropolitan area network, so QinQ technology is used.

QinQ technology is realized by adding a layer of 802.1q tags on the basis of the original 802.1q, which makes the number of VLAN expand to 4094 * 4094. As shown below:

The following through experiments to explain in detail, through Huawei equipment in the operator man how to deploy QINQ technology.

Experimental topology

Use the eNSP simulator (version V100R002C00 1.2.00.370)

Environment description

The access topology of metropolitan area network users is roughly as follows: BRAS device (understood as router, only with more broadband access function) → OLT device (understood as a large switch) → splitter (pure physical layer device) → ONU device (understood as user access switch) → home users, as shown above, users are isolated by dividing VLAN on the ONU device, each user belongs to a VLAN, if so The VLAN ID under one OLT is obviously not enough. There are only two ONU devices in the picture. In the real environment, there must be a lot of ONU devices hanging under an OLT. At this time, 4096 VLAN must not be enough. At this time, you can use QinQ technology to solve the problem of insufficient VLAN ID under OLT! Because in the case of two-layer tags, the number of VLAN can reach 4096 to 4096, it is impossible to hang so many users under one OLT device.

Experimental planning

Win7 (VLAN 100): 192.168.100.10 Universe 24

C2 (VLAN 200): 192.168.100.20 Universe 24

C3 (VLAN 300): 192.168.200.10 Universe 24

C4 (VLAN 400): 192.168.200.20 Universe 24

OLT G0Accord 1 (VLAN 10)

OLT G0Accord 2 (VLAN 20)

Experimental demand

1. Configure QinQ on OLT device to solve the problem of insufficient VLAN ID

two。 Configure the sub-interface to remove two layers of tags on the BRAS device to terminate the VLAN

3. The PPPOE dialing function is configured on the BRAS device to simulate the realization of home users dialing the Internet.

4. Grab the packet and analyze the PPPOE message.

Experimental configuration

SW1 configuration: all basic switching needs general configuration.

System-view

[SW1] vlanbatch 100 200

[SW1] inte0/0/1

[SW1-Ethernet0/0/1] portlink-type access

[SW1-Ethernet0/0/1] portdefault vlan 100

[SW1-Ethernet0/0/1] inte0/0/2

[SW1-Ethernet0/0/2] portlink-type access

[SW1-Ethernet0/0/2] portdefault vlan 200

[SW1-Ethernet0/0/2] intg0/0/1

[SW1-GigabitEthernet0/0/1] portlink-type trunk

[SW1-GigabitEthernet0/0/1] porttrunk allow-pass vlan 100 200

SW2 configuration:

System-view

[SW2] vlanbatch 300 400

[SW2] inte0/0/1

[SW2-Ethernet0/0/1] portlink-type access

[SW2-Ethernet0/0/1] portdefault vlan 300

[SW2-Ethernet0/0/1] inte0/0/2

[SW2-Ethernet0/0/2] portlink-type access

[SW2-Ethernet0/0/2] portdefault vlan 400

[SW2-Ethernet0/0/2] intg0/0/1

[SW2-GigabitEthernet0/0/1] portlink-type trunk

[SW2-GigabitEthernet0/0/1] porttrunk allow-pass vlan 300 400

OLT configuration:

[OLT] vlanbatch 10 20

[OLT] intg0/0/1

[OLT-GigabitEthernet0/0/1] portlink-type dot1q-tunnel / / configure the port type as dot1q-tunnel

[OLT-GigabitEthernet0/0/1] portdefault vlan 10 / / configure outer VLAN ID (static outer VLAN marking technology is used here, and flexible QINQ technology is usually used for outer tagging in the current network)

[OLT-GigabitEthernet0/0/1] intg0/0/2

[OLT-GigabitEthernet0/0/2] portlink-type dot1q-tunnel

[OLT-GigabitEthernet0/0/2] portdefault vlan 20

[OLT-GigabitEthernet0/0/3] portlink-type trunk / / configure the port type as TRUNK

[OLT-GigabitEthernet0/0/3] porttrunk allow-pass vlan 10 20 / / allows VLAN 10 and VLAN 20 traffic to pass through, referred to as uplink transparent service VLAN.

BRAS configuration:

[BRAS] intg0/0/0.10 / / configure subinterface

[BRAS-GigabitEthernet0/0/0.10] qinqtermination pe-vid 10 ce-vid 100 to 200 / / configuration termination double layer TAG pe-vid is outer layer TAG,ce-vid is inner layer TAG

In the latest version of Huawei simulator, only the Router router supports terminating multiple inner VLAN, and there is no "to vlan-id" command in the AR series of routers.

[BRAS-GigabitEthernet0/0/0.10] ipadd 192.168.100.1 24

[BRAS-GigabitEthernet0/0/0.10] intg0/0/0.20

[BRAS-GigabitEthernet0/0/0.20] qinqtermination pe-vid 20 ce-vid 300 to 400

[BRAS-GigabitEthernet0/0/0.20] ipadd 192.168.200.1 24

Use the win7 ping BRAS device, and grab the packet verification on the G0UniUniverse 3 port of OLT

You will find that there are 2 layers of VLAN tags, the outer layer is VLAN10 and the inner layer is VLAN100 (PC1)

Use the C3 ping BRAS device and grab the packet verification on the OLT G0Accord 3 port.

As shown in the figure, the outer layer is LAN 20 and the inner layer is VLAN 300 (PC3)

The above verification shows that the QinQ configuration is effective, and now 4094 VLAN can be hung under one port on the OLT device (Huawei devices 0 and 4095 are reserved)

Consider a question here: when I use win 7ping BRAS, I use a double-layer TAG, so is there a TAG when BRAS returns the packet? If so, how does BRAS tell whether the inner TAG is VLAN 100s or VLAN 300s?

Grab a reply message of ICMP

From the figure above, we can see that BRAS's return is still a two-tier TAG, so how does he distinguish between VLAN 100s and VLAN 200s in the inner VLAN?

View the ARP table on BRAS with the command "display arp"

From the above picture, we can draw the following conclusions.

BRAS for the downlink data flow, according to the ARP entry information, the IP message is encapsulated by MAC address and double-layer VLAN!

PPPOE configuration:

BRAS configuration

[BRAS] aaa

[BRAS-aaa] authentication-scheme test / / configure authentication scheme, named test

[BRAS-aaa-authen-test] authentication-mode local / / configure the authentication mode as local authentication

[BRAS-aaa-authen-test] quit

[BRAS-aaa] domain pppoe / / specify a domain name

[BRAS-aaa-domain-pppoe] authorization-schemetest / / configure the authentication scheme for the domain. The name must be the authenticated scheme name.

[BRAS-aaa-domain-pppoe] quit

[BRAS-aaa] local-user jack password cipherabc123 / / create a dial-up account

[BRAS-aaa] local-user jack service-type ppp / / set the account type to PPP

[BRAS-aaa] quit

[BRAS] ip pool pppoe / / create an address pool

[BRAS-ip-pool-pppoe] gateway-list 10.10.10.1 / / configure the gateway address of the address pool exit

[BRAS-ip-pool-pppoe] network 10.10.10.0 mask24 / / configure address pool range

[BRAS-ip-pool-pppoe] quit

[BRAS] interface Virtual-Template 1 / / create a virtual interface template view

[BRAS-Virtual-Template1] ip address 10.10.1.124 / / configure the virtual interface address, which must be in the same segment as the address in the address pool

[BRAS-Virtual-Template1] remote address poolpppoe / / specifies the address pool for assigning addresses to clients

[BRAS-Virtual-Template1] pppauthentication-mode pap domain pppoe

/ / configure authentication method as pap, and specify users to use pppoe domain authentication

[BRAS-Virtual-Template1] ppp ipcp dns 8.8.8.8 / / configure DNS

[BRAS-Virtual-Template1] quit

[BRAS] interface g0/0/0.10

[BRAS-GigabitEthernet0/0/0.10] pppoe-serverbind virtual-template 1

/ / enable PPPOE protocol on the interface and bind virtual interface authentication

[BRAS-GigabitEthernet0/0/0.10] intg0/0/0.20

[BRAS-GigabitEthernet0/0/0.20] pppoe-serverbind virtual-template 1

Win7 dialing verification

By verifying that the address dialed is within the range of the address pool, the DNS configuration specified by DNS for BRAS is in effect.

Grab packets and analyze PPPOE messages

PPPOE is divided into "discovery phase and conversation phase".

The discovery phase is divided into the following four messages:

Client broadcast requests PADI to find servers in the network

The server responds to PADO by informing the client of some of its own information

The client sends a PADR to this server, requesting a session number

The server responds to PADS by informing the other side of the assigned session number

The main task of the PPPOE discovery phase is to request the session number

Four kinds of messages

PADI

PADO

PADR

PADS

PPPOE session phase

There are three processes in the conversation phase:

LCP negotiation: complete layer 2 chain building and parameter negotiation

Authentication: mainly use PAP (plaintext)\ CHAP (ciphertext)\ MSCHAP

NCP negotiation: using IPCP protocol to complete the three-layer configuration

Data transmission

LCP negotiation phase

LACP certification

Conclusion: through this experiment, we can know that in the metropolitan area network of operators, each home user is isolated from each other through the user VALN (C-VLAN). Even if your home and your neighbor's home are connected to the same ONU device, they are also isolated from each other because of different VLAN. On the upper OLT or aggregation layer switch, in order to ensure a sufficient number of VLAN, we need to use the second layer label, called operator VLAN (P-VLAN), to isolate again. When the user service data with two-layer tags arrives at the router BRAS, the three-layer data will be taken out by terminating the two-layer tags. At the same time, in order to realize the user authentication and billing, the operator network uses PPPOE technology.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.