Configuring VLAN-VPN

CHAPTERS

1. VLAN VPN

2. Basic VLAN VPN Configuration

3. Flexible VLAN VPN Configuration

4. Configuration Examples

5. Appendix: Default Parameters

This guide applies to:

T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-52TS v3 or above.

1VLAN VPN

1.1Overview

VLAN VPN (Virtual Private Network) is an easy-to-implement layer 2 VLAN technology, and it is usually deployed at the edge of the ISP (Internet Service Provider) network.

With VLAN VPN, when forwarding packets from the customer network to the ISP network, the switch adds an outer tag to the packets with outer VLAN ID. Thus, packets can be transmitted through ISP networks with double VLAN tags. In the ISP network, packets are forwarded according to the outer VLAN tag (VLAN tag of the ISP network), while the inner VLAN tag is treated as part of the payload. When forwarding packets from the ISP network to the customer network, the switch remove the outer VLAN tag of the packets. Thus, packets are forwarded according to the inner VLAN tag (VLAN tag of the customer network) in the customer network.

The following figure shows the typical application scenario of VLAN VPN. To realize the communication between two customer VLANs across the ISP network, you can configure VLAN VPN at the ISP edge switches to allow packets from customer VLAN 100 and VLAN 200 to be forwarded through the ISP network with the outer tag of VLAN 1050.

Figure 1-1 Application Scenario of VLAN VPN

1.2Supported Features

The VLAN VPN function includes: basic VLAN VPN and flexible VLAN VPN (VLAN mapping).

Basic VLAN VPN

All packets from customer VLANs are encapsulated with the same VLAN tag of the ISP network, and sent to the ISP network. Additionally, you can set the TPID (Tag Protocol Identifier) for compatibility with devices in the ISP network.

Flexible VLAN VPN

You can configure different VLANs in the customer network to map to different VLANs in the ISP network.

When the switch receives a packet with the customer network tag, the switch will check the VLAN Mapping List. If a match is found, the switch encapsulates the packet with the corresponding VLAN tag of the ISP network, and forwards it to the corresponding port. If no match is found, the switch process the packet in rules of MAC VLAN, Protocol VLAN and 802.1Q VLAN. For untagged packets, the switch directly processes them in rules of MAC VLAN, Protocol VLAN and 802.1Q VLAN.

2Basic VLAN VPN Configuration

To complete the basic VLAN VPN configuration, follow these steps:

1)Configure 802.1Q VLAN.

2)Configure NNI ports and UNI ports.

3)Enable VLAN VPN globally.

Configuration Guidelines

The TPID preset by the switch is 0x8100. If the devices in the ISP network do not support this value, you should change it to ensure VLAN VPN packets sent to the ISP network can be recognized and forwarded by devices of other manufacturers.

You can go to 802.1Q VLAN section to specify the Ingress Checking feature according to your needs. If the Ingress Checking is enabled, the port will perform this operation first then process the packets based on the VLAN VPN configuration. If Ingress Checking is disabled, the port will process the packets directly based on the VLAN VPN configuration.

2.1Using the GUI

2.1.1Configuring 802.1Q VLAN

Before configuring VLAN VPN, create 802.1Q VLAN add ports to corresponding VLANs and configure Ingress Checking on ports according to your needs. For details, refer to Configuring 802.1Q VLAN.

2.1.2Configuring Basic VLAN VPN

Choose the menu L2 FEATURES > VLAN > VLAN VPN > VPN Config to load the following page.

Figure 2-1 Basic VPN Configuration

Follow these steps to configure the basic VLAN VPN parameters:

1)In the Global Config section, enable VLAN VPN globally, and click Apply.

VLAN VPN

Enable the VLAN VPN function globally.

2)In the VPN Port Config section, select on or more ports and configure the corresponding parameters. Click Apply.

Port Role

Select the port role that will take effect in the VLAN VPN function.

NNI: NNI ports are usually edge ports connected to the ISP network, and the packets forwarded by these port have outer VLAN tags.

UNI: UNI ports are usually connected to the customer network. The outer VLAN tags will be added or removed when the packets are forwarded by the VPN port.

Note:

The direct shift between ports modes UNI and NNI is not supported. To switch from the current mode to another mode, you can change the port tole to “--” first.

TPID

Specify the value of TPID. TPID is a field of VLAN tag and is modified to make the double tagged packets identifiable to devices from different vendors.

Missdrop

Enable the Missdrop feature. This option only can take effect on tagged packets. With Missdrop enabled, the tagged packets that don’t match the VLAN Mapping entries will be dropped.

It is available only when the port role is UNI.

Use Inner Priority

Enable this function and the switch will determine the forwarding sequence of the packets according to the 802.1p priority of the inner VLAN tag.

It is available only when the port role is UNI.

Note:

The PVID of the UNI port should be specified as the VLAN ID of the ISP VLAN.

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

2.2Using the CLI

2.2.1Configuring 802.1Q VLAN

Before configuring VLAN VPN, create 802.1Q VLAN, add ports to corresponding VLANs and configure Ingress Checking on ports according to your needs. For details, refer to Configuring 802.1Q VLAN.

2.2.1Configuring Basic VLAN VPN

Follow these steps to configure basic VLAN VPN:

Step 1

configure

Enter global configuration mode.

Step 2

dot1q-tunnel

Enable the VLAN VPN feature globally.

Step 3

interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list}

Enter interface configuration mode.

Step 4

switchport dot1q-tunnel mode { nni | uni }

Select the port role that will take effect in the VLAN VPN function.

nni : NNI ports are usually connected to the ISP network, and the packets forwarded by these port have outer VLAN tags.

uni : UNI ports are usually connected to the customer network. The outer VLAN tags will be added or removed when the packets are forwarded by the VPN port.

Note:

The direct shift between ports modes uni and nni is not supported. To switch from the current mode to another mode, you can use no switchport dot1q-tunnel mode to disable the current mode.

Step 5

switchport dot1q-tunnel tpid tpid

Specify the value of TPID. TPID is a field of VLAN tag and is modified to make the double tagged packets identifiable to devices from different vendors.

tpid: Enter the IPID for the port. It must be 4 Hex integers. By default, it is 8100.

Step 6

switchport dot1q-tunnel missdrop

Enable the Missdrop feature. This option only can take effect on tagged packets. With Missdrop enabled, the tagged packets that don’t match the VLAN Mapping entries will be dropped. By default, it is disabled.

It is available only when the port mode is UNI.

Step 7

switchport dot1q-tunnel use_inner_priority

Enable this function and the switch will determine the forwarding sequence of the packets according to the 802.1p priority of the inner VLAN tag. By default, it is disabled.

It is available only when the port mode is UNI.

Step 8

show dot1q-tunnel

Verify the global configuration of VLAN VPN.

Step 9

show dot1q-tunnel interface

Verify the interface configuration of basic VLAN VPN.

Step 10

end
Return to privileged EXEC mode.

Step 11

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable the VLAN VPN feature globally, set port 1/0/1 of switch as the UNI port and 1/0/2 as the NNI port:

Switch#configure

Switch(config)#dot1q-tunnel

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#switchport dot1q-tunnel mode uni

Switch(config-if)#exit

Switch(config)#interface gigabitEthernet 1/0/2

Switch(config-if)#switchport dot1q-tunnel mode nni

Switch(config-if)#show dot1q-tunnel

VLAN VPN Mode: Enabled

Mapping Mode: Disabled

Switch(config-if)#show dot1q-tunnel interface

Port Type Tpid Use Inner Priority LAG

------- ------- ------- ------------------ ---

Gi1/0/1 UNI 0x8100 Disable N/A

Gi1/0/2 NNI 0x8100 Enable N/A

...

Switch(config-if)#end

Switch#copy running-config startup-config

3Flexible VLAN VPN Configuration

To complete the flexible VLAN VPN configuration, follow these steps:

1)Configure 802.1Q VLAN and basic VLAN VPN.

2)Configure VLAN mapping.

Configuration Guidelines

Before you start, configure 802.1Q VLAN and the basic VLAN VPN.

You can specify the PVID of the UNI port according to your needs. The untagged packets and the tagged packets that don’t the VLAN mapping entry may be added the outer VLAN tag with this PVID according to your configuration.

3.1Using the GUI

Choose the menu L2 FEATURES > VLAN > VLAN VPN > VLAN Mapping to load the following page.

Figure 3-1 Enable Flexible VLAN VPN

Follow these steps to configure flexible VLAN VPN:

1)In the Global Config section, enable VLAN mapping globally and click Apply.

2)In the VLAN Mapping Config section, click to load the following page. Configure the following parameters.

Figure 3-2 Create VLAN Mapping Entry

Port

Choose a UNI port to enable VLAN mapping. Usually, ports that are connected to the customer network are set as UNI ports. You can also enter the port number in 1/0/1 format.

C VLAN

Specify the customer VLAN of the UNI port by entering the VLAN ID or VLAN Name.

SP VLAN

Specify the ISP VLAN of the UNI port by entering the VLAN ID or VLAN Name.

Description

Give a description to identify the VLAN Mapping.

3)Click Create.

3.2Using the CLI

Follow these steps to configure flexible VLAN VPN:

Step 1

configure

Enter global configuration mode.

Step 2

dot1q-tunnel mapping

Enable VLAN mapping globally.

Step 3

interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list}

Enter interface configuration mode.

Step 4

switchport dot1q-tunnel mapping c-vlan sp-vlan [ descript ]

Set VLAN mapping entries for the specified port.

c vlan: Enter VLAN ID of the customer network.

sp vlan: Enter VLAN ID of the ISP network.

descript: Give a description to identify the VLAN Mapping.

Step 5

end

Return to privileged EXEC mode.

Step 6

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable VLAN mapping and set a VLAN mapping entry named mapping1 on port 1/0/3 to map customer network VLAN 15 to ISP network VLAN 1040:

Switch#configure

Switch(config)#dot1q-tunnel mapping

Switch(config)#show dot1q-tunnel

VLAN VPN Mode: Enabled

Mapping Mode: Enabled

Switch(config)#interface gigabitEthernet 1/0/3

Switch(config-if)#switchport dot1q-tunnel mapping 15 1040 mapping1

Switch(config-if)#show dot1q-tunnel mapping

Port C-VLAN SP-VLAN Name

----------- ---------- ------------ -----------

Gi1/0/3 15 1040 mapping1

Switch(config-if)#end

Switch#copy running-config startup-config

4Configuration Examples

4.1Example for Basic VLAN VPN

4.1.1Network Requirements

A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and the TPID adopted by the ISP network is 0x9100.

The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 and VLAN 200 should be transmitted in VLAN 1050.

Figure 4-1 Network Topology

4.1.2Configuration Scheme

To meet the requirement that all the traffic from VLAN 100 and VLAN 200 should be transmitted through VLAN 1050, users can configure basic VLAN VPN on Switch 1 and Switch 2 to allow packets sent with double VLAN tags, and thus ensure the communication between them. The general configuration procedure is as follows:

Here we only introduce the configuration schemes on switch 1 and switch 3, for the configurations on switch 2 are the same as those on switch 1, and the configurations on switch 4 are the same as those on switch 3.

1)Configure 802.1Q VLAN on switch 1. The parameters are shown below:

VLAN 100

VLAN 200

VLAN 1050

PVID

Port 1/0/1

-

-

Tagged

1

Port 1/0/2

Tagged

Tagged

Untagged

1050

2)Configure 802.1Q VLAN on switch 3. The parameters are shown below:

VLAN 100

VLAN 200

PVID

Port 1/0/1

-

Untagged

100

Port 1/0/2

Untagged

-

200

Port 1/0/3

Tagged

Tagged

1

3)Configure VLAN VPN on switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100.

Demonstrated with T2600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

4.1.3Using the GUI

Configuring Switch 1:

1)Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100, VLAN 200 and VLAN 1050. Configure the egress rule of port 1/0/2 in VLAN 100 and VLAN 200 as Tagged, and in VLAN 1050 as Untagged; Configure the egress rule of port 1/0/1 in VLAN 1050 as Tagged.

Figure 4-2 Create VLAN 100

Figure 4-3 Create VLAN 200

Figure 4-4 Create VLAN 1050

2)Go to L2 FEATURES > VLAN > Port Config to set the PVID as 1050 for port 1/0/2 and leave the default vaule 1 for port 1/0/1.

Figure 4-5 Configuring PVID

3)Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port. Specify the TPID of port 1/0/1 as 9100.

Figure 4-6 Enabling VLAN VPN Globally and Configuring the Ports

4)Click to save the settings.

Configuring Switch 3:

1)Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged; egress rules of port 1/0/2 in VLAN 200 as Untagged; egress rule of port 1/0/3 in VLAN 100 and VLAN 200 as Tagged.

Figure 4-7 Creating VLAN 100

Figure 4-8 Creating VLAN 200

2)Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Figure 4-9 Configuring PVID

3)Click to save the settings.

4.1.4Using the CLI

The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.

1)Create VLAN 1050, VLAN 100 and VLAN 200.

Switch_1#configure

Switch_1(config)#vlan 1050

Switch_1(config-vlan)#name SP_VLAN

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 100

Switch_1(config-vlan)#name C_VLAN100

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 200

Switch_1(config-vlan)#name C_VLAN200

Switch_1(config-vlan)#exit

2)Add port 1/0/1 to VLAN 1050 as tagged port, modify PVID as 1050, set the port as NNI port and specify the TPID as 9100.

Switch_1(config)#interface gigabitEthernet 1/0/1

Switch_1(config-if)#switchport general allowed vlan 1050 tagged

Switch_1(config-if)#switchport pvid1050

Switch_1(config-if)#switchport dot1q-tunnel mode nni

Switch_1(config-if)#switchport dot1q-tunnel tpid 9100

Switch_1(config-if)#exit

3)Add port 1/0/2 to VLAN 1050 as untagged port, and add it to VLAN 100 and VLAN 200 as tagged port. Modify PVID of the port as 1050. Set the port as the UNI port.

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport general allowed vlan 1050 untagged

Switch_1(config-if)#switchport general allowed vlan 100,200 tagged

Switch_1(config-if)#switchport pvid 1050

Switch_1(config-if)#switchport dot1q-tunnel mode uni

Switch_1(config-if)#exit

4)Enable VLAN VPN globally

Switch_1(config)#dot1q-tunnel

Switch_1(config)#end

Switch_1#copy running-config startup-config

Configuring Switch 3

1)Create VLAN 100 and VLAN 200.

Switch_3#configure

Switch_3(config)#vlan 100

Switch_3(config-vlan)#name C_VLAN100

Switch_3(config-vlan)#exit

Switch_3(config)#vlan 200

Switch_3(config-vlan)#name C_VLAN200

Switch_3(config-vlan)#exit

2)Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports. Configure the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Switch_3(config)#interface gigabitEthernet 1/0/1

Switch_3(config-if)#switchport general allowed vlan 100 untagged

Switch_3(config-if)#switchport pvid 100

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/2

Switch_3(config-if)#switchport general allowed vlan 200 untagged

Switch_3(config-if)#switchport pvid 200

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/3

Switch_3(config-if)#switchport general allowed vlan 100,200 tagged

Switch_3(config-if)#end

Switch_3#copy running-config startup-config

Verify the VLAN VPN Configurations on Switch 1

Verify the configurations of global VLAN VPN:

Switch_3#show dot1q-tunnel

VLAN VPN Mode: Enabled

Mapping Mode: Disabled

Verify the configurations of VPN up-link port and VPN port:

Switch_3#show dot1q-tunnel interface

Port Type Tpid Use Inner Priority LAG

------- ------- ------- ----------------- ---

Gi1/0/1 NNI 0x9100 Disable N/A

Gi1/0/2 UNI 0x8100 Enable N/A

Gi1/0/3 NONE 0x8100 Disable N/A

Gi1/0/4 NONE 0x8100 Disable N/A

...

Verify the port configuration:

Switch_3#show interface switchport gigabitEthernet 1/0/1

Port Gi1/0/1:

PVID: 1050

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

Vlan Name Egress-rule

---- ----------- -----------

1 System-VLAN Untagged

1050 SP_VLAN Tagged

Switch_3#show interface switchport gigabitEthernet 1/0/2

Port Gi1/0/2:

PVID: 1050

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

Vlan Name Egress-rule

---- ----------- -----------

1 System-VLAN Untagged

100 C_VLAN100 Tagged

200 C_VLAN200 Tagged

1050 SP_VLAN Untagged

4.2Example for Flexible VLAN VPN

4.2.1Network Requirements

A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and VLAN 1060, and the TPID adopted by the ISP network is 0x9100.

The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 should be transmitted in VLAN 1050, while the traffic from VLAN 200 should be transmitted in VLAN 1060.

Figure 4-10 Network Topology

4.2.2Configuration Scheme

To meet the requirement that all the traffic from VLAN 100 and VLAN 200 need to be transmitted through different ISP VLANs, users can configure flexible VLAN VPN on Switch 1 and Switch 2 to map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060, so packets from VLAN 100 and VLAN 200 will be transmitted through VLAN 1050 and VLAN 1060 respectively.

Here we only introduce the configuration scheme on switch 1 and switch 3, for the configurations on switch 2 are the same as that on switch 1, and the configurations on switch 4 are the same as that on switch 3.

1)Configure 802.1Q VLAN on switch 1. The parameters are shown below:

VLAN 100

VLAN 200

VLAN 1050

VLAN 1060

PVID

Port 1/0/1

-

-

Tagged

Tagged

1

Port 1/0/2

Tagged

Tagged

Untagged

Untagged

1050

2)Configure 802.1Q VLAN on switch 3. The parameters are shown below:

VLAN 100

VLAN 200

PVID

Port 1/0/1

-

Untagged

100

Port 1/0/2

Untagged

-

200

Port 1/0/3

Tagged

Tagged

1

3)Configure VLAN VPN on switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100; map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060.

Demonstrated with T2600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

4.2.3Using the GUI

Configuring Switch 1:

1)Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100, VLAN 200, VLAN 1050 and VLAN 1060. Configure the egress rule of port 1/0/2 in VLAN 100 and VLAN 200 as Tagged, and Untagged in VLAN 1050 and VLAN 1060; Configure the egress rule of port 1/0/1 in VLAN 1050 and VLAN 1060 as Tagged.

Figure 4-11 Create VLAN 100

Figure 4-12 Create VLAN 200

Figure 4-13 Create VLAN 1050

Figure 4-14 Create VLAN 1060

2)Go to L2 FEATURES > VLAN > Port Config to set the PVID as 1050 for port 1/0/2 and leave the default vaule 1 for port 1/0/1.

Figure 4-15 Configuring PVID

3)Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port. Specify the TPID of port 1/0/1 as 9100.

Figure 4-16 Enabling VLAN VPN Globally and Configuring the Ports

4)Go to L2 FEATURES > VLAN > VLAN VPN > VLAN Mapping, enable VLAN Mapping globally. Then configure VLAN mapping for the UNI port 1/0/2.

Figure 4-17 Mapping VLAN 100 to VLAN 1050

Figure 4-18 Mapping VLAN 200 to VLAN 1060

5)Click to save the settings.

Configuring Switch 3:

1)Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged; egress rules of port 1/0/2 in VLAN 200 as Untagged; egress rule of port 1/0/3 in VLAN 100 and VLAN 200 as Tagged.

Figure 4-19 Creating VLAN 100

Figure 4-20 Creating VLAN 200

2)Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Figure 4-21 Configuring PVID

3)Click to save the settings.

4.2.4Using the CLI

Configuring Switch 1

1)Create VLAN 100, VLAN 200, VLAN 1050 and VLAN 1060.

Switch_1#configure

Switch_1(config)#vlan 1050

Switch_1(config-vlan)#name SP_VLAN1050

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 1060

Switch_1(config-vlan)#name SP_VLAN1060

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 100

Switch_1(config-vlan)#name C_VLAN100

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 200

Switch_1(config-vlan)#name C_VLAN200

Switch_1(config-vlan)#exit

2)Add port 1/0/1 to VLAN 1050 and VLAN 1060 as tagged port, modify PVID as 1050, set the port as NNI port and specify the TPID as 9100.

Switch_1(config)#interface gigabitEthernet 1/0/1

Switch_1(config-if)#switchport general allowed vlan 1050,1060 tagged

Switch_1(config-if)#switchport pvid1050

Switch_1(config-if)#switchport dot1q-tunnel mode nni

Switch_1(config-if)#switchport dot1q-tunnel tpid 9100

Switch_1(config-if)#exit

3)Add port 1/0/2 to VLAN 1050 and VLAN 1060 as untagged port, and add it to VLAN 100 and VLAN 200 as tagged port. Modify the PVID as 1050. Set the port as the UNI port.

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport general allowed vlan 1050,1060 untagged

Switch_1(config-if)#switchport general allowed vlan 100,200 tagged

Switch_1(config-if)#switchport pvid 1050

Switch_1(config-if)#switchport dot1q-tunnel mode uni

Switch_1(config-if)#exit

4)Enable VLAN mapping. Map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060 for port 1/0/2.

Switch_1(config)#dot1q-tunnel mapping

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport dot1q-tunnel mapping 100 1050 mapping

Switch_1(config-if)#switchport dot1q-tunnel mapping 200 1060 mapping

Switch_1(config-if)#exit

5)Enable VLAN VPN globally

Switch_1(config)#dot1q-tunnel

Switch_1(config)#end

Switch_1#copy running-config startup-config

Configuring Switch 3

1)Create VLAN 100 and VLAN 200.

Switch_3#configure

Switch_3(config)#vlan 100

Switch_3(config-vlan)#name C_VLAN100

Switch_3(config-vlan)#exit

Switch_3(config)#vlan 200

Switch_3(config-vlan)#name C_VLAN200

Switch_3(config-vlan)#exit

2)Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports. Configure the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Switch_3(config)#interface gigabitEthernet 1/0/1

Switch_3(config-if)#switchport general allowed vlan 100 untagged

Switch_3(config-if)#switchport pvid 100

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/2

Switch_3(config-if)#switchport general allowed vlan 200 untagged

Switch_3(config-if)#switchport pvid 200

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/3

Switch_3(config-if)#switchport general allowed vlan 100,200 tagged

Switch_3(config-if)#end

Switch_3#copy running-config startup-config

5Appendix: Default Parameters

Default settings of VLAN VPN are listed in the following table.

Table 5-1Default Settings of VLAN VPN

Parameter

Default Setting

Global VLAN VPN

Disabled

Port Role

None

Global TPID

0x8100

Missdrop

Disabled

Use Inner Priority

Disabled

VLAN Mapping

Disabled