Configuring Layer 2 Protocol Tunneling

Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.

When protocol tunneling is enabled, edge device on the inbound side of the service-provider network encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider network. Core devices in the network do not process these packets but forward them as normal packets. Layer 2 protocol data units (PDUs) for CDP, STP, or VTP cross the service-provider network and are delivered to customer devices on the outbound side of the service-provider network. Identical packets are received by all customer ports on the same VLANs with these results:

  • Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct spanning tree based on parameters from all sites and not just from the local site.

  • CDP discovers and shows information about the other Cisco devices connected through the service-provider network.

  • VTP provides consistent VLAN configuration throughout the customer network, propagating to all devices through the service provider.

Layer 2 protocol tunneling can be used independently or can enhance IEEE 802.1Q tunneling. If protocol tunneling is not enabled on IEEE 802.1Q tunneling ports, remote devices at the receiving end of the service-provider network do not receive the PDUs and cannot properly run STP, CDP, and VTP. When protocol tunneling is enabled, Layer 2 protocols within each customer’s network are totally separate from those running within the service-provider network. Customer devices on different sites that send traffic through the service-provider network with IEEE 802.1Q tunneling achieve complete knowledge of the customer’s VLAN. If IEEE 802.1Q tunneling is not used, you can still enable Layer 2 protocol tunneling by connecting to the customer device through access ports and by enabling tunneling on the service-provider access port.

For example, in the following figure (Layer 2 Protocol Tunneling), Customer X has four devices in the same VLAN, that are connected through the service-provider network. If the network does not tunnel PDUs, devices on the far ends of the network cannot properly run STP, CDP, and VTP. For example, STP for a VLAN on a device in Customer X, Site 1, will build a spanning tree on the devices at that site without considering convergence parameters based on Customer X’s devices in Site 2. This could result in the topology shown in the Layer 2 Network Topology without Proper Convergence figure.

Figure 1. Layer 2 Protocol Tunneling
Figure 2. Layer 2 Network Topology Without Proper Convergence

Feature History and Information for Layer 2 Protocol Tunneling

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Feature

Release

Description

L2 Protocol Tunnel CDP under LAN Switching Interface

Cisco IOS XE Bengaluru 17.4.1a

You can now configure L2CP X for tunneling so that it forwards all other l2cp with the DST MAC 01:00:0C:CD:CD:D0 except X with the DST MAC 01:00:0C:CD:CD:D0 on the following platforms:

  • Cisco 1000 Series Integrated Services Routers

  • Cisco 4000 Series Integrated Services Routers

Layer 2 Protocol Tunneling

Cisco IOS XE Gibraltar 16.12.1

This feature was introduced on the following platforms:

  • Cisco 1000 Series Integrated Services Routers

  • Cisco 4000 Series Integrated Services Routers

Restrictions for Tunneling

  • IEEE 802.1Q tunneling and Layer 2 protocol tunneling are supported on the following platforms:

    • Cisco 1000 Series Integrated Services Routers

    • Cisco 4000 Series Integrated Services Routers with the NIM-ES module

  • The vlan dot1q tag native command is not supported.

  • Since the Ethernet virtual connection (EVC) of the WAN port is used as the 802.1Q-in-802.1Q (QinQ) port, the encapsulation of the Ethernet flow point (EFP) of the Switch Virtual Interface (SVI) and WAN port only supports default EFP and 802.1Q EFP. The 802.1AD TPID (0x88a8) is not supported. You cannot use the switchport as the QinQ port towards the service provider.

  • An SVI or Bridge Domain Interface (BDI) cannot route IEEE 802.1Q tunneling traffic.

  • EtherChannels are not supported.

  • The default DMAC of layer protocol tunneling is 01-00-0c-cd-cd-d0 and cannot be customized.

Layer 2 Protocol Tunneling on Ports

You can enable Layer 2 protocol tunneling (by protocol) on the ports that are connected to the customer in the edge devices of the service-provider network. The service-provider edge devices connected to the customer device perform the tunneling process. Edge device tunnel ports are connected to customer IEEE 802.1Q trunk ports. Edge device access ports are connected to customer access ports. The edge devices connected to the customer device perform the tunneling process.

The device supports Layer 2 protocol tunneling for CDP, STP, and VTP. For emulated point-to-point network topologies, it also supports PAgP, LACP, LLDP, and UDLD protocols.


Note

PAgP, LACP, and UDLD protocol tunneling is only intended to emulate a point-to-point topology. An erroneous configuration that sends tunneled packets to many ports could lead to a network failure.

When the Layer 2 PDUs that entered the service-provider inbound edge device through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the device overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag. The core devices ignore the inner tags and forward the packet to all trunk ports in the same metro VLAN. The edge devices on the outbound side restore the proper Layer 2 protocol and MAC address information and forward the packets to all tunnel or access ports in the same metro VLAN. Therefore, the Layer 2 PDUs remain intact and are delivered across the service-provider infrastructure to the other side of the customer network.


Note

Configure L2CP X for tunneling to forward all other l2CP with the DST MAC 01:00:0C:CD:CD:D0 except X with DST MAC 01:00:0C:CD:CD:D0

See the Layer 2 Protocol Tunneling Figure 1 with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge devices in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address. These double-tagged packets have the metro VLAN tag of 40, as well as an inner VLAN tag (for example, VLAN 100). When the double-tagged packets enter Switch D, the outer VLAN tag 40 is removed, the well-known MAC address is replaced with the respective Layer 2 protocol MAC address, and the packet is sent to Customer Y on Site 2 as a single-tagged frame in VLAN 100.

You can also enable Layer 2 protocol tunneling on access ports on the edge device connected to access or trunk ports on the customer switch. In this case, the encapsulation and decapsulation process is the same as described in the previous paragraph, except that the packets are not double-tagged in the service-provider network. The single tag is the customer-specific access VLAN tag.

In switch stacks, Layer 2 protocol tunneling configuration is distributed among all stack members. Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port. On a single switch, ingress Layer 2 protocol-tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled. In a stack, packets received by a Layer 2 protocol-tunneled port are distributed to all ports in the stack that are configured for Layer 2 protocol tunneling and are in the same VLAN. All Layer 2 protocol tunneling configuration is handled by the stack master and distributed to all stack members.

Configuring Layer 2 Protocol Tunneling

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface interface-id

Example:

Device(config)# interface gigabitethernet1/0/1

Specifies the interface connected to the phone, and enters interface configuration mode.

Step 4

Use one of the following:

  • switchport mode dot1q-tunnel

Example:

Device(config-if)# switchport mode dot1q-tunnel

Configures the interface as an IEEE 802.1Q tunnel port or a trunk port.

Step 5

l2protocol-tunnel [cdp | lldp | point-to-point | stp | vtp]

Example:

Device(config-if)# l2protocol-tunnel cdp

Enables protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all four Layer 2 protocols.

Note 

Use the no l2protocol-tunnel [cdp | lldp | point-to-point | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three.

Step 6

l2protocol-tunnel shutdown-threshold [ packet_second_rate_value | cdp | lldp point-to-point | stp | vtp]

Example:

Device(config-if)# l2protocol-tunnel shutdown-threshold 100 cdp

(Optional) Configures the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note 

If you also set a drop threshold on this interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

Note 

Use the no l2protocol-tunnel shutdown-threshold [ packet_second_rate_value | cdp | lldp| point-to-point | stp | vtp] and the no l2protocol-tunnel drop-threshold [ packet_second_rate_value | cdp | lldp| point-to-point |stp | vtp] commands to return the shutdown and drop thresholds to the default settings.

Step 7

l2protocol-tunnel drop-threshold [ packet_second_rate_value | cdp | lldp | point-to-point | stp | vtp]

Example:

Device(config-if)# l2protocol-tunnel drop-threshold 100 cdp

(Optional) Configures the threshold for packets-per-second accepted for encapsulation. The interface drops packets if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note 

If you also set a shutdown threshold on this interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.

Note 

Use the no l2protocol-tunnel shutdown-threshold [cdp | lldp| point-to-point | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.

Step 8

exit

Example:

Device(config-if)# exit

Returns to global configuration mode.

Step 9

errdisable recovery cause l2ptguard

Example:

Device(config)# errdisable recovery cause l2ptguard

(Optional) Configures the recovery mechanism from a Layer 2 maximum-rate error so that the interface is reenabled and can try again. Errdisable recovery is disabled by default; when enabled, the default time interval is 300 seconds.

Step 10

l2protocol-tunnel cos value

Example:

Device(config)# l2protocol-tunnel cos value 7

(Optional) Configures the CoS value for all tunneled Layer 2 PDUs. The range is 0 to 7; the default is the default CoS value for the interface. If none is configured, the default is 5.

Step 11

spanning-tree bpdufilter enable

Example:

Device(config)# spanning-tree bpdufilter enable

Inserts a BPDU filter for spanning tree.

Note 

While configuring Layer 2 Protocol Tunneling on a trunk port, you must enable a BPDU filter for spanning tree.
Step 12

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 13

show l2protocol

Example:

Device# show l2protocol

Displays the Layer 2 tunnel ports on the device, including the protocols configured, the thresholds, and the counters.

Step 14

copy running-config startup-config

Example:

Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Example: Configuring Layer 2 Protocol Tunneling

The following example shows how to configure Layer 2 protocol tunneling for CDP, STP, and VTP and to verify the configuration.



Device(config)# interface gigabitethernet1/0/11
Device(config-if)# l2protocol-tunnel cdp
Device(config-if)# l2protocol-tunnel stp
Device(config-if)# l2protocol-tunnel vtp
Device(config-if)# l2protocol-tunnel shutdown-threshold 1500
Device(config-if)# l2protocol-tunnel drop-threshold 1000
Device(config-if)# exit
Device(config)# l2protocol-tunnel cos 7
Device(config)# end
Device# show l2protocol

COS for Encapsulated Packets: 7
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
------- -------- --------- --------- ------------- ------------- -------------
Gi0/11 cdp 1500 1000 2288 2282 0
stp 1500 1000 116 13 0
vtp 1500 1000 3 67 0
pagp ---- ---- 0 0 0
lacp ---- ---- 0 0 0
udld ---- ---- 0 0 0

Monitoring Tunneling Status

The following table describes the commands used to monitor tunneling status.

Table 1. Commands for Monitoring Tunneling

Command

Purpose

clear l2protocol-tunnel counters

Clears the protocol counters on Layer 2 protocol tunneling ports.

show dot1q-tunnel

Displays IEEE 802.1Q tunnel ports on the device.

show dot1q-tunnel interface interface-id

Verifies if a specific interface is a tunnel port.

show l2protocol-tunnel

Displays information about Layer 2 protocol tunneling ports.

show errdisable recovery

Verifies if the recovery timer from a Layer 2 protocol-tunnel error disable state is enabled.

show l2protocol-tunnel interface interface-id

Displays information about a specific Layer 2 protocol tunneling port.

show l2protocol-tunnel summary

Displays only Layer 2 protocol summary information.