You, as the network administrator, were tasked with providing access to a network, where 4 machines have been connected.

It is simple task. Nothing can happen, but…

Everything is ready and you are checking connectivity between RT2 and those machines, and… To your suprise, you can only ping even-numbered IP addresses:

[RT2]ping 192.168.10.1
   PING 192.168.10.1: 56  data bytes, press CTRL_C to break
     Request time out
     Request time out
     Request time out
     Request time out
     Request time out

 [RT2]ping 192.168.10.2
   PING 192.168.10.2: 56  data bytes, press CTRL_C to break
     Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=127 time=30 ms
     Reply from 192.168.10.2: bytes=56 Sequence=2 ttl=127 time=20 ms
     Reply from 192.168.10.2: bytes=56 Sequence=3 ttl=127 time=30 ms
     Reply from 192.168.10.2: bytes=56 Sequence=4 ttl=127 time=40 ms
     Reply from 192.168.10.2: bytes=56 Sequence=5 ttl=127 time=30 ms

 [RT2]ping 192.168.10.3
   PING 192.168.10.3: 56  data bytes, press CTRL_C to break
     Request time out
     Request time out
     Request time out
     Request time out
     Request time out

 [RT2]ping 192.168.10.4
   PING 192.168.10.4: 56  data bytes, press CTRL_C to break
     Reply from 192.168.10.4: bytes=56 Sequence=1 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=2 ttl=127 time=40 ms
     Reply from 192.168.10.4: bytes=56 Sequence=3 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=4 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=5 ttl=127 time=30 ms

What has happend?

You are sure that IP addresses and GW of PCs are correct. Let’s look into configuration of RT1 and RT2:

[RT2]
 #
 interface GigabitEthernet0/0/1
  ip address 10.0.0.2 255.255.255.0 
 #
 ip route-static 192.168.10.0 255.255.255.0 10.0.0.1

[RT1]
 #
 interface GigabitEthernet0/0/0
  ip address 192.168.10.254 255.255.255.0 
  traffic-filter inbound acl 3000
 #
 interface GigabitEthernet0/0/1
  ip address 10.0.0.1 255.255.255.0 

Everything seems to be OK. The only thing we should check is the access list number 3000. So let’s get to the ACL:

[RT1]display acl 3000
 Advanced ACL 3000, 2 rules
 Acl's step is 5
  rule 10 permit ip source 192.168.10.0 0.0.0.254 (20 matches)
  rule 15 deny ip (20 matches)

And we have a reason for the problem.

What is happening here? Let’s try to compare the IP address and the wildcard mask. Write them in binary:

11000000.10101000.00001010.00000000
00000000.00000000.00000000.11111110

We don’t care about the first 3 octects, as the bit in wildcard mask is 0. We have to focus on the last octet.

In our access list, the first seven bits of the last octet are all 1s. It means that the seven bits can be anything. The final bit in the last octet of our wildcard mask is 0. So, the very last bit in any IP address coming into this interface always has to be zero. The rest of the bits in that final octet can be anything.

What does this mean in practice?

It means that we can ping only IP addresses with the last bit 0. So we can only ping even-numbered IP addresses.

What if you want to ping only odd-numbered IP addresses. Nothing easier, just start the IP address in ACL at an odd number :

#
 acl number 3000  
  rule 10 permit ip source 192.168.10.1 0.0.0.254 
  rule 15 deny ip 
 #

Anyway, can you imagine the following wildcard mask: 0.0.255.0? What would happen if you used it with 10.10.0.1/24 IP address?

Finally you could have access to 10.10.0.1, 10.10.1.1, 10.10.2.1 and so on. How to use it in practice?

Assume that you use 10.10.0.0/16 subnet accross you entire network. You can split it to many /24 subnets. On each subnet there is a machine with the IP address 10.10.x.100 which is acting as a server offering the same functionality on each subnet. So you want to have access only to those machines, I mean 10.10.0.100, 10.10.1.100, 10.10.2.100…

To achive this goal, just configure the ACL like below:

 #
 acl number 3000  
  rule 10 permit ip source 10.10.0.100 0.0.255.0 
  rule 15 deny ip 
 # 

This article shows how powerful the wildcard mask can be. You can actually do interesting stuff with it, can’t you?

So far you have learned basic and selective QinQ on Huawei swiches. They seem like a simple Layer 2 VPN solution, which we can use to connect 2 or more offices. And of course, it is truth.

But, sometimes, we want to have an access to external services or just to the Internet, instead of connecting 2 branch offices. And, still we can use QinQ technology, why not?

The only thing we should do is to terminate QinQ VLAN Tag on a router. Just create L3 subinterface and let the router to use IP routing table to forward packets.

In our LAB, I am going to show you how to terminate QinQ to use DHCP server, located outside our network. In this case DHCP Relay feature must be used.

So let’s get to the point!

QinQ termination on subinterfaces to support DHCP Relay on Huawei

Topology of QinQ to support DHCP Relay

QinQ VLAN Tag termination on Huawei

1. Configure the basic Layer 2 forwarding function

SW_1
vlan batch 100
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100

SW2
vlan batch 200
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200

2. Configure QinQ on SW_A and set packets sent from SW_1 and SW_2 to DHCP server to carry double tags

SW_A
#
interface GigabitEthernet0/0/1
 qinq vlan-translation enable
 port hybrid untagged vlan 1000
 port vlan-stacking vlan 100 stack-vlan 1000
#
interface GigabitEthernet0/0/2
 qinq vlan-translation enable
 port hybrid untagged vlan 1000
 port vlan-stacking vlan 200 stack-vlan 1000
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 1000

3. Configure subinterfaces for QinQ VLAN tag termination on the DHCP-Relay router

#
interface GigabitEthernet0/0/0.1
 qinq termination pe-vid 1000 ce-vid 100
 ip address 172.16.1.1 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/0.2
 qinq termination pe-vid 1000 ce-vid 200
 ip address 172.16.2.1 255.255.255.0 
 arp broadcast enable

4. Configure DHCP Relay function on Huawei

[DHCP-Relay]dhcp enable

[DHCP-Relay]interface GigabitEthernet0/0/0.1
[DHCP-Relay-GigabitEthernet0/0/0.1]dhcp select relay
[DHCP-Relay-GigabitEthernet0/0/0.1]dhcp relay server-ip 192.168.1.100

[DHCP-Relay]interface GigabitEthernet0/0/0.2
[DHCP-Relay-GigabitEthernet0/0/0.1]dhcp select relay
[DHCP-Relay-GigabitEthernet0/0/0.1]dhcp relay server-ip 192.168.1.100

5. Set IP address for communication between DHCP-Relay and DHCP-Server

[DHCP-Relay]interface GigabitEthernet0/0/1
[DHCP-Relay-GigabitEthernet0/0/1]ip address 192.168.1.1 255.255.255.0

6. DHCP Server configuration

dhcp enable
#
ip pool 1
 gateway-list 172.16.1.1 
 network 172.16.1.0 mask 255.255.255.0 
#
ip pool 2
 gateway-list 172.16.2.1 
 network 172.16.2.0 mask 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.1.100 255.255.255.0 
 dhcp select global

7. Configure static route to reach VLAN 100 and VLAN 200

[DHCP-Server]ip route-static 172.16.1.0 255.255.255.0 192.168.1.1
[DHCP-Server]ip route-static 172.16.2.0 255.255.255.0 192.168.1.1

8. DHCP verification

[DHCP-Relay]dis dhcp relay all
 DHCP relay agent running information of interface GigabitEthernet0/0/0.1 :
 Server IP address [01] : 192.168.1.100
 Gateway address in use : 172.16.1.1
 
 DHCP relay agent running information of interface GigabitEthernet0/0/0.2 :
 Server IP address [01] : 192.168.1.100
 Gateway address in use : 172.16.2.1

9. QinQ verification

And finally, after QinQ VLAN Tag termination, we have pure IP packet without any tag:

Let’s go ahead with QinQ technology. In the last post you had the opportunity to know basic QinQ tunneling on Huawei switches. The QinQ tunnel attaches the same outer tag to all the frames entering the Layer 2 QinQ interface.

In this lab I would like to attach different outer tags, to the frames entering the Layer 2 QinQ interface, according to different inner tags. It is useful when packets are going to be differentiated in a provider’s network. Why? Because of service type, user’s application etc.

In this case we have 1 enterprise network with branch office located in another city. Customer network is divided into 2 VLANs to differentiate existing services. Our task is to transparently transmit packets, through ISP network, paying attantion to not allowing traffic between VLAN10 and VLAN20.

Selective QinQ topology

Selective QinQ configuration on Huawei switches

1. First of all, configuration of switches in HQ and branch office of the enterprise.

vlan batch 10 20
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/1
 port hybrid tagged vlan 10 20

2. Farthermore, create VLANs 100 and 200 on all ISP switches. Below SwitchA as an example.

[Switch_A]vlan batch 100 200

3. Allow VLANs 100 and 200 to be transmitted between ISP switches.

[SwitchA]interface GigabitEthernet 0/0/2 
[SwitchA-GigabitEthernet0/0/2]port link-type trunk 
[SwitchA-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 200 
[SwitchB]interface GigabitEthernet 0/0/4 
[SwitchB-GigabitEthernet0/0/4]port link-type trunk 
[SwitchB-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200 
[ISP]interface GigabitEthernet 0/0/2 
[ISP-GigabitEthernet0/0/2]port link-type trunk 
[ISP-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 200 
[ISP]interface GigabitEthernet 0/0/4 
[ISP-GigabitEthernet0/0/4]port link-type trunk 
[ISP-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200

4. Configure selective QinQ on interfaces of SwitchA and SwitchB.

[Switch_A]interface GigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1]qinq vlan-translation enable
[Switch_A-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200
[Switch_A-GigabitEthernet0/0/1] port vlan-stacking vlan 10 stack-vlan 100
[Switch_A-GigabitEthernet0/0/1] port vlan-stacking vlan 20 stack-vlan 200
[Switch_B]interface GigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1]qinq vlan-translation enable 
[Switch_B-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 
[Switch_B-GigabitEthernet0/0/1] port vlan-stacking vlan 10 stack-vlan 100 
[Switch_B-GigabitEthernet0/0/1] port vlan-stacking vlan 20 stack-vlan 200

Please notice that selective QinQ can only be enabled on hybrid interfaces and is valid only for incoming packets. Outer VLAN tags will be removed from outgoing frames and transmitted as 802.1Q towards enterprise switches.

5. Check communication between PCs in the same VLANs.

PC_VLAN10>ping 172.16.10.2

Ping 172.16.10.2: 32 data bytes, Press Ctrl_C to break
From 172.16.10.2: bytes=32 seq=1 ttl=128 time=125 ms
From 172.16.10.2: bytes=32 seq=2 ttl=128 time=141 ms
From 172.16.10.2: bytes=32 seq=3 ttl=128 time=156 ms
From 172.16.10.2: bytes=32 seq=4 ttl=128 time=94 ms
From 172.16.10.2: bytes=32 seq=5 ttl=128 time=141 ms

PC_VLAN20>ping 172.16.20.2

Ping 172.16.20.2: 32 data bytes, Press Ctrl_C to break
From 172.16.20.2: bytes=32 seq=1 ttl=128 time=125 ms
From 172.16.20.2: bytes=32 seq=2 ttl=128 time=125 ms
From 172.16.20.2: bytes=32 seq=3 ttl=128 time=141 ms
From 172.16.20.2: bytes=32 seq=4 ttl=128 time=156 ms
From 172.16.20.2: bytes=32 seq=5 ttl=128 time=187 ms

Let’s look into ICMP packet traveling through ISP network:

And finally, communication between VLANs is blocked as we assumed.

PC_VLAN10>ping 172.16.20.2

Ping 172.16.20.2: 32 data bytes, Press Ctrl_C to break
From 172.16.10.1: Destination host unreachable

In traditional 802.1Q protocol, service provider should assign different VLAN IDs to users of different VLANs. The numer of VLANs is limited to 4094 IDs. In addition, different users cannot use the same VLAN ID.

A simple method to solve this is to implement QinQ. The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to a packet with an 802.1Q tag. In this manner, services from the private VLAN can be transparently transmitted through the public network. The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a local area networks.

QinQ tunneling on Huawei switches

Let’s assume that we have two enteprise networks. Each enterprise has two branch offices, located in different cities. As an ISP, we cannot force these enterprises to use different VLAN planning. In our case, both use VLAN 10 and our task is to transparently transmitt traffic, through ISP network, between remote offices.

What we want to achieve is to ensure communication between remote offices of each enterprise and to block communication between Enterprise_1 and Enterprise_2. We can use basic QinQ tunneling in this case. It adds the same outer VLAN tag to all the frames entering a Layer 2 port.

QinQ topology

QinQ configuration on Huawei switches

1. Configure enteprise switches to allow VLAN 10 to be transmitted. All enterprise switches in our case have the same configuration. You can recall VLAN configuration looking at the following post VLAN, trunk, VLANIF (SVI) on Huawei switch.

vlan batch 10
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10

2. Create VLANs 100 and 200 on all ISP switches. Below SwitchA as an example.

[SwitchA]vlan batch 100 200

3. Allow VLANs 100 and 200 to be transmitted between ISP switches.

[SwitchA]interface GigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2]port link-type trunk
[SwitchA-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 200

[SwitchB]interface GigabitEthernet 0/0/4
[SwitchB-GigabitEthernet0/0/4]port link-type trunk
[SwitchB-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200

[ISP]interface GigabitEthernet 0/0/2
[ISP-GigabitEthernet0/0/2]port link-type trunk
[ISP-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 200

[ISP]interface GigabitEthernet 0/0/4
[ISP-GigabitEthernet0/0/4]port link-type trunk
[ISP-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200

4. Set interfaces of SwitchA and SwitchB towards Enteprise_1 and Enterprise_2 as QinQ with VLAN tag 100 and 200 accordingly.

[SwitchA]interface GigabitEthernet 0/0/1
 [SwitchA-GigabitEthernet0/0/1] port link-type dot1q-tunnel
 [SwitchA-GigabitEthernet0/0/1] port default vlan 100

[SwitchA]interface GigabitEthernet 0/0/3
 [SwitchA-GigabitEthernet0/0/3] port link-type dot1q-tunnel
 [SwitchA-GigabitEthernet0/0/3] port default vlan 200

[SwitchB]interface GigabitEthernet 0/0/1
 [SwitchB-GigabitEthernet0/0/1] port link-type dot1q-tunnel
 [SwitchB-GigabitEthernet0/0/1] port default vlan 100

[SwitchB]interface GigabitEthernet 0/0/3
 [SwitchB-GigabitEthernet0/0/3] port link-type dot1q-tunnel
 [SwitchB-GigabitEthernet0/0/3] port default vlan 200

5. Check communication between branch offices in Enterprise_1 and in Enterprise_2.

PC_Enterprise_1>ping 172.16.1.2

Ping 172.16.1.2: 32 data bytes, Press Ctrl_C to break
From 172.16.1.2: bytes=32 seq=1 ttl=128 time=140 ms
From 172.16.1.2: bytes=32 seq=2 ttl=128 time=94 ms
From 172.16.1.2: bytes=32 seq=3 ttl=128 time=109 ms
From 172.16.1.2: bytes=32 seq=4 ttl=128 time=125 ms
From 172.16.1.2: bytes=32 seq=5 ttl=128 time=125 ms

PC_Enterprise_2>ping 172.16.1.11

Ping 172.16.1.11: 32 data bytes, Press Ctrl_C to break
From 172.16.1.11: bytes=32 seq=1 ttl=128 time=156 ms
From 172.16.1.11: bytes=32 seq=2 ttl=128 time=94 ms
From 172.16.1.11: bytes=32 seq=3 ttl=128 time=125 ms
From 172.16.1.11: bytes=32 seq=4 ttl=128 time=109 ms
From 172.16.1.11: bytes=32 seq=5 ttl=128 time=125 ms

Let’s look into the ICMP packet:

As you can see there are 2 VLAN tags inside ISP network so QinQ is working correctly.

6. Notice that communication between Enterprise_1 and Enterprise_2 is blocked.

PC_Enterprise_1>ping 172.16.1.11

Ping 172.16.1.11: 32 data bytes, Press Ctrl_C to break
From 172.16.1.1: Destination host unreachable
From 172.16.1.1: Destination host unreachable
From 172.16.1.1: Destination host unreachable
From 172.16.1.1: Destination host unreachable
From 172.16.1.1: Destination host unreachable

I am going to show you how RIP loop protection works. Let’s take the topology from the previous post to demonstrate the features.

There are 2 methods of loop protection: Split Horizon and Poison Reverse.

Split Horizon

It prohibits a router to advertise a route back to neighbors, through the interface that receives the routes. Split Horizon is enabled by default on Huawei routers:

[R1]display rip 1 interface Serial 0/0/0 verbose
Serial0/0/0(192.168.20.1)
State : UP MTU : 500
Metricin : 0
Metricout : 1
Input : Enabled Output : Enabled
Protocol : RIPv2 Multicast
Send version : RIPv2 Multicast Packets
Receive version : RIPv2 Multicast and Broadcast Packets
Poison-reverse : Disabled
Split-Horizon : Enabled
Authentication type : None
Replay Protection : Disabled

Split Horizon is disabled by default on NBMA networks like Frame Relay and X.25.

Let’s look at the RIP routing table of R2 router:

[R2]display rip 1 route 
 Route Flags : R - RIP
               A - Aging, G - Garbage-collect
 ----------------------------------------------------------------------------
 Peer 192.168.10.2 on GigabitEthernet0/0/0
      Destination/Mask        Nexthop     Cost   Tag     Flags   Sec
          3.3.3.3/32      192.168.10.2      1    0        RA       8
 Peer 192.168.20.1 on Serial0/0/0
      Destination/Mask        Nexthop     Cost   Tag     Flags   Sec
         10.0.3.0/24      192.168.20.1      1    0        RA      17
         10.0.2.0/24      192.168.20.1      1    0        RA      17
         10.0.1.0/24      192.168.20.1      1    0        RA      17
         10.0.0.0/24      192.168.20.1      1    0        RA      17
          1.1.1.1/32      192.168.20.1      1    0        RA      17

From the RIP routing table of R2 you can see which networks are advertised by router R1. As Split Horizon prohibits router R2 to advertise the routes back to router R1, so a loop is avoided.

Let’s check what will happen if we disable Split Horizon on router R2:

[R2]interface Serial 0/0/0
[R2-Serial0/0/0]undo rip split-horizon

We can see that R1 is still sending the proper routes but a loop has become the fact, because R2 is advertising the received routes back to R1. In this case, R1 believes that network 10.0.0.0 is available through R2 as the next hop:

[R1-GigabitEthernet0/0/1]dis rip 1 route
 Route Flags : R - RIP
               A - Aging, G - Garbage-collect
 ----------------------------------------------------------------------------
 Peer 192.168.20.2 on Serial0/0/0
      Destination/Mask        Nexthop     Cost   Tag     Flags   Sec
     192.168.10.0/24      192.168.20.2      1    0        RA      15
         10.0.0.0/8       192.168.20.2      2    0        RA      15
          3.0.0.0/8       192.168.20.2      2    0        RA      15
          2.0.0.0/8       192.168.20.2      1    0        RA      15
          1.0.0.0/8       192.168.20.2      2    0        RA      15

Let’s check what will happen if we shut down network 10.0.0.0 on R1:

[R1-GigabitEthernet0/0/1]shutdown

Shutdown of the interface causes that Trigger Update function is activated, R1 sends an update immediately and Garbage-collect time starts counting. After 120s network 10.0.0.0 is deleted from RIP database. Trigger Update lets us to shorten time of network convergence from 300s to 120s.

[R1-GigabitEthernet0/0/1]dis rip 1 route
 Route Flags : R - RIP
               A - Aging, G - Garbage-collect
 ----------------------------------------------------------------------------
 Peer 192.168.20.2 on Serial0/0/0
      Destination/Mask        Nexthop     Cost   Tag     Flags   Sec
     192.168.10.0/24      192.168.20.2      1    0        RA       7
          3.0.0.0/8       192.168.20.2      2    0        RA       7
          2.0.0.0/8       192.168.20.2      1    0        RA       7
          1.0.0.0/8       192.168.20.2      2    0        RA       7
         10.0.0.0/8       192.168.20.2     16    0        RG     120

Poison Reverse

It prevents routing loops by setting the metric of a route to 16 (unreachable route) and advertises the route back to neighbors, through the interface that received the routes. By default, Poison Reverse is disable on Huawei router. We can enable it by the command:

[R1]int Serial 0/0/0
[R1-Serial0/0/0]rip poison-reverse

[R2]interface Serial 0/0/0
[R2-Serial0/0/0]rip poison-reverse

We can easily verify it looking into captured packets:

Notice that, if both Poison Reverse and Split Horizon are enabled, only Poison Reverse takes effect.