Labnario Huawei From Scratch

A reminder for those who already know, a guide for those who would like to know. My first video on how to access emulated eNSP devices, including graphical access to the USG firewall. Hope you like it 🙂

You, as the network administrator, were tasked with providing access to a network, where 4 machines have been connected.

It is simple task. Nothing can happen, but…

Everything is ready and you are checking connectivity between RT2 and those machines, and… To your suprise, you can only ping even-numbered IP addresses:

[RT2]ping 192.168.10.1
   PING 192.168.10.1: 56  data bytes, press CTRL_C to break
     Request time out
     Request time out
     Request time out
     Request time out
     Request time out

 [RT2]ping 192.168.10.2
   PING 192.168.10.2: 56  data bytes, press CTRL_C to break
     Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=127 time=30 ms
     Reply from 192.168.10.2: bytes=56 Sequence=2 ttl=127 time=20 ms
     Reply from 192.168.10.2: bytes=56 Sequence=3 ttl=127 time=30 ms
     Reply from 192.168.10.2: bytes=56 Sequence=4 ttl=127 time=40 ms
     Reply from 192.168.10.2: bytes=56 Sequence=5 ttl=127 time=30 ms

 [RT2]ping 192.168.10.3
   PING 192.168.10.3: 56  data bytes, press CTRL_C to break
     Request time out
     Request time out
     Request time out
     Request time out
     Request time out

 [RT2]ping 192.168.10.4
   PING 192.168.10.4: 56  data bytes, press CTRL_C to break
     Reply from 192.168.10.4: bytes=56 Sequence=1 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=2 ttl=127 time=40 ms
     Reply from 192.168.10.4: bytes=56 Sequence=3 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=4 ttl=127 time=30 ms
     Reply from 192.168.10.4: bytes=56 Sequence=5 ttl=127 time=30 ms

So far you have learned basic and selective QinQ on Huawei swiches. They seem like a simple Layer 2 VPN solution, which we can use to connect 2 or more offices. And of course, it is truth.

But, sometimes, we want to have an access to external services or just to the Internet, instead of connecting 2 branch offices. And, still we can use QinQ technology, why not?

The only thing we should do is to terminate QinQ VLAN Tag on a router. Just create L3 subinterface and let the router to use IP routing table to forward packets.

In our LAB, I am going to show you how to terminate QinQ to use DHCP server, located outside our network. In this case DHCP Relay feature must be used.

So let’s get to the point!

QinQ termination on subinterfaces to support DHCP Relay on Huawei

Topology of QinQ to support DHCP Relay

Let’s go ahead with QinQ technology. In the last post you had the opportunity to know basic QinQ tunneling on Huawei switches. The QinQ tunnel attaches the same outer tag to all the frames entering the Layer 2 QinQ interface.

In this lab I would like to attach different outer tags, to the frames entering the Layer 2 QinQ interface, according to different inner tags. It is useful when packets are going to be differentiated in a provider’s network. Why? Because of service type, user’s application etc.

In this case we have 1 enterprise network with branch office located in another city. Customer network is divided into 2 VLANs to differentiate existing services. Our task is to transparently transmit packets, through ISP network, paying attantion to not allowing traffic between VLAN10 and VLAN20.

Selective QinQ topology

In traditional 802.1Q protocol, service provider should assign different VLAN IDs to users of different VLANs. The numer of VLANs is limited to 4094 IDs. In addition, different users cannot use the same VLAN ID.

A simple method to solve this is to implement QinQ. The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to a packet with an 802.1Q tag. In this manner, services from the private VLAN can be transparently transmitted through the public network. The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a local area networks.

QinQ tunneling on Huawei switches

Let’s assume that we have two enteprise networks. Each enterprise has two branch offices, located in different cities. As an ISP, we cannot force these enterprises to use different VLAN planning. In our case, both use VLAN 10 and our task is to transparently transmitt traffic, through ISP network, between remote offices.

What we want to achieve is to ensure communication between remote offices of each enterprise and to block communication between Enterprise_1 and Enterprise_2. We can use basic QinQ tunneling in this case. It adds the same outer VLAN tag to all the frames entering a Layer 2 port.