How to configure VLAN-VPN(QinQ) for L3 switches in controller Mode using the CLI template
Apply to: Omada SDN Controller v5.13.30.8 and above.
This article will introduce how to configure VLAN-VPN(QinQ) for L3 switches in controller Mode using the CLI template.
What is VLAN-VPN?
A Virtual Private Network (VLAN-VPN) is a Layer 2 VLAN technology that is usually deployed at the edge of an ISP network. When VLAN-VPN is used, the switch adds an extra VLAN TAG to packets forwarded from the customer network to the ISP network. In this way, packets can carry a double-layer VLAN TAG for forwarding. On an ISP network, packets are forwarded according to the external VLAN TAG, and the original inner VLAN TAG is considered as part of the packet load. After packets are forwarded to the ISP edge of the peer end, the outer VLAN TAG is removed and the original inner TAG is used to forward packets on the customer's network.
TP-Link provides two methods for applying VLAN-VPN. One is the VLAN-VPN function, and the other is the VLAN-mapping function. The outer VLAN TAG value of the former is the PVID of the port. The outer VLAN TAG value of the latter can be flexibly configured by configuring the VLAN mapping relationship of the UNI port. In Controller mode, you can use the CLI template to deliver VLAN-VPN and VLAN-MAPPING configurations.
1. Basic VLAN-VPN(QinQ)
1.1 Network Requirements
A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and the TPID adopted by the ISP network is 0x9100.
The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 and VLAN 200 should be transmitted in VLAN 1050.
1.2 Configuration Scheme
To meet the requirement that all the traffic from VLAN 100 and VLAN 200 should be transmitted through VLAN 1050, users can configure basic VLAN-VPN on Switch 1 and Switch 2 to allow packets sent with double VLAN tags, and thus ensure the communication between them. The general configuration procedure is as follows:
Here we only introduce the configuration schemes on switch 1 and switch 3, for the
configurations on switch 2 are the same as those on switch 1, and the configurations on switch 4 are the same as those on switch 3.
1) Configure 802.1Q VLAN on switch 1. The parameters are shown below:
|
VLAN 100 |
VLAN 200 |
VLAN 1050 |
PVID |
Port 1/0/1 |
- |
- |
Tagged |
Keep the default value |
Port 1/0/2 |
Tagged |
Tagged |
Untagged |
1050 |
2) Configure 802.1Q VLAN on switch 3. The parameters are shown below:
|
VLAN 100 |
VLAN 200 |
PVID |
Port 1/0/1 |
Untagged |
- |
100 |
Port 1/0/2 |
- |
Untagged |
200 |
Port 1/0/3 |
Tagged |
Tagged |
Keep the default value |
3) Configure VLAN-VPN on switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100.
1.3 VLAN Configuration Process:
On the Settings->Wired Networks->LAN->Networks page, click Create New LAN.
Perform the following operations to create VLAN 100.
Create VLAN 200 and VLAN 1050 in the same way.
1.4 Configure Port Profile
On the Settings->Wired Networks->LAN->Profile page, create different Port profiles and set different 802.1Q VLAN parameters. After applying the Profile to a port, you can change the VLAN configuration of the port.
Create an NNI Profile where the Native Network and Untagged Networks remain as the default VLAN1, and select VLAN 1050 for the Tagged Networks.
Create a UNI Profile where the Native Network and Untagged Networks are changed to VLAN 1050, and the Tagged Networks are changed to VLAN 100 and VLAN 200.
On the Devices->Device List page, click Switch1. On the Ports page of the private configuration page that pops up on the right, click the Edit button on the right of Port1 to change its Profile to an NNI Profile.
Using the same method, change the profile of Port1 on switch2 to the NNI Profile, change the profile of Port2 on both switch1 and switch2 to the UNI Profile, change the profile of Port1 on both switch3 and switch4 to VLAN100, and change the profile of Port2 on both switch3 and switch4 to VLAN200.
1.5 Configure VLAN-VPN
Currently, the Controller does not support the configuration of VLAN-VPN through the GUI, but can be configured through the CLI template.
Copy the following CLI Commands:
#
dot1q-tunnel
#
interface gigabitEthernet 1/0/1
switchport dot1q-tunnel mode nni
switchport dot1q-tunnel tpid 9100
#
interface gigabitEthernet 1/0/2
switchport dot1q-tunnel mode uni
#
Note: The symbol # on the first and last lines must be copied.
On the Settings->CLI Configuration->Device CLI page, click Create New Device CLI Profile.
Type Name and Description, then paste the CLI you just copied into the CLI input box, and click Next.
Select switch1 and switch2 to deliver the configuration and click Confirm.
In this example, the configurations of switch1 and switch2 are identical. Therefore, you can select the two switches together. If the NNI port and UNI port numbers of the two switches are different, create CLI templates and apply them to their devices.
Click Apply to send the VLAN-VPN configuration.
1.6 Delete VLAN-VPN configuration
Different from the GUI configuration of the controller, if you delete the CLI template created above, the controller will not issue the command to delete the VLAN-VPN configuration. If you want to delete the VLAN-VPN configuration above, you need to create a new CLI template using the delete CLI command below and deliver it to switch1 and switch2.
#
no dot1q-tunnel
#
interface gigabitEthernet 1/0/1
no switchport dot1q-tunnel mode
#
interface gigabitEthernet 1/0/2
no switchport dot1q-tunnel mode
#
After the Configuration is deleted, on the Settings->CLI configuration->device CLI page, delete the two CLI templates for adding VLAN-VPN and deleting VLAN-VPN.
2. Flexible VLAN-VPN (QinQ)
2.1 Network Requirements
A company has two stations, and the computers belong to VLAN 100 and VLAN 200
respectively. The ISP VLAN is VLAN 1050 and VLAN 1060, and the TPID adopted by the ISP network is 0x9100.
The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 should be transmitted in VLAN 1050, while the traffic from VLAN 200 should be transmitted in VLAN 1060.
2.2 Configuration scheme
To meet the requirement that all the traffic from VLAN 100 and VLAN 200 need to be transmitted through different ISP VLANs, users can configure flexible VLAN-VPN on Switch 1 and Switch 2 to map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060, so packets from VLAN 100 and VLAN 200 will be transmitted through VLAN 1050 and VLAN 1060 respectively.
Here we only introduce the configuration scheme on Switch 1 and Switch 3, for the
configurations on Switch 2 are the same as that on Switch 1, and the configurations on Switch 4 are the same as that on Switch 3.
1) Configure 802.1Q VLAN on Switch 1. The parameters are shown below:
|
VLAN 100 |
VLAN 200 |
VLAN 1050 |
VLAN1060 |
PVID |
Port 1/0/1 |
- |
- |
Tagged |
Tagged |
Keep the default value |
Port 1/0/2 |
Tagged |
Tagged |
Untagged |
Untagged |
Keep the default value |
2) Configure 802.1Q VLAN on Switch 3. The parameters are shown below:
|
VLAN 100 |
VLAN 200 |
PVID |
Port 1/0/1 |
Untagged |
- |
100 |
Port 1/0/2 |
- |
Untagged |
200 |
Port 1/0/3 |
Tagged |
Tagged |
Keep the default value |
3) Configure VLAN-VPN on Switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100; map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060.
2.3 Create VLANs and configure Port profiles
Please refer to the guide for creating VLAN and Port profiles in basic VLAN-VPN.
2.4 Procedure of configuring VLAN-MAPPING
Currently, the Controller does not support the configuration of VLAN-VPN through the GUI, but can be configured through the CLI template.
The CLI Commands are as follows:
#
dot1q-tunnel
dot1q-tunnel mapping
#
interface gigabitEthernet 1/0/1
switchport dot1q-tunnel mode nni
switchport dot1q-tunnel tpid 9100
#
interface gigabitEthernet 1/0/2
switchport dot1q-tunnel mode uni
switchport dot1q-tunnel mapping 100 1050
switchport dot1q-tunnel mapping 200 1060
#
For details about how to create CLI templates and deliver these CLI templates, please refer to the basic VLAN-VPN mentioned above.
2.5 Delete configuration
Different from the GUI configuration of the controller, if you delete the CLI template created above, the controller will not issue the command to delete the VLAN Mapping configuration. If you want to delete the VLAN Mapping configuration above, you need to create a new CLI template using the delete CLI command below and deliver it to switch1 and switch2.
#
no dot1q-tunnel
no dot1q-tunnel mapping
#
interface gigabitEthernet 1/0/1
no switchport dot1q-tunnel mode
#
interface gigabitEthernet 1/0/2
no switchport dot1q-tunnel mapping
no switchport dot1q-tunnel mode
#
After the Configuration is deleted, on the Settings->CLI configuration->device CLI page, delete the two CLI templates for adding VLAN Mapping and deleting VLAN Mapping.
For more information about VLAN-VPN features and CLI, see CLI Guide and User Guide.