Layer two protocol tunneling
By stretch | Wednesday, July 2, 2008 at 1:56 a.m. UTC
Normally, Cisco switches intercept and process a number of layer two protocols, including CDP, STP, VTP, and others. This can present problems when attempting to make a switch appear completely transparent, as is a common goal of service providers. Full transparency can be achieved with layer 2 protocol tunneling (not to be confused with L2TP).
Switches can be configured to forward CDP, STP, and VTP frames instead of intercepting them. The command to enable basic L2 tunneling is l2protocol-tunnel
at interface configuration. By default, this one command disables CDP on the interface and enables tunneling for CDP, STP, and VTP, as seen in the running configuration:
interface GigabitEthernet0/1 l2protocol-tunnel cdp l2protocol-tunnel stp l2protocol-tunnel vtp no cdp enable
The switch will transparently forward incoming CDP/STP/VTP frames out other similarly configured interfaces in the same VLAN. We can inspect the traffic statistics with show l2protocol-tunnel
:
Switch# show l2protocol-tunnel COS for Encapsulated Packets: 5 Drop Threshold for Encapsulated Packets: 0 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter ---------- -------- --------- --------- ------------- ------------- ------------- Gi0/1 cdp ---- ---- 4 0 0 stp ---- ---- 117 0 0 vtp ---- ---- 0 0 0 --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ---- --- ---- ---- ---- ---- ----
Note the three seemingly useless lines at the end of the output. These lines present additional information when tunneling is expanded to include point-to-point protocols PAgP, LACP, and UDLD with the command l2protocol-tunnel point-to-point
. Similar to the base command, the interface is automatically configured to include each of these protocols individually:
interface GigabitEthernet0/1 l2protocol-tunnel cdp l2protocol-tunnel stp l2protocol-tunnel vtp l2protocol-tunnel point-to-point pagp l2protocol-tunnel point-to-point lacp l2protocol-tunnel point-to-point udld no cdp enable
The forwarding statistics now include all six protocols:
Switch# show l2protocol-tunnel COS for Encapsulated Packets: 5 Drop Threshold for Encapsulated Packets: 0 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter ---------- -------- --------- --------- ------------- ------------- ------------- Gi0/1 cdp ---- ---- 10 0 0 stp ---- ---- 292 0 0 vtp ---- ---- 0 0 0 pagp ---- ---- 0 0 0 lacp ---- ---- 0 0 0 udld ---- ---- 0 0 0
Posted in Switching
Comments
July 8, 2008 at 3:13 a.m. UTC
Thanks for insight article. So where would this employed in a typical Campus LAN environment?
August 16, 2008 at 6:48 p.m. UTC
@Benmoon l2pt is not really designed for campus networks. It's really useful when you have a layer 2 domain (like spanning-tree) splited in many parts due to a service provider network. Generally this feature is used within VPLS services.
Troubleshooting this feature could reside in modifying MTU/jumbo frames support depending the path length across you tunneled frames.
December 30, 2009 at 12:04 a.m. UTC
Can this be used to bridge what was once separate broadcast domains together by "tunneling" through intermediate layer 3 devices?
February 15, 2010 at 9:33 a.m. UTC
Find this one when I was searching if l2protocol-tunnel could be mixed with l2protocol-tunnel point-to-point on the same interface. Seems so...
Still have a doubt though, on catalyst manuals they do a "spanning-tree bpdufilter enable" when configuring l2protocol-tunnel point-to-point.
March 14, 2010 at 11:48 a.m. UTC
Is this what "QinQ" uses?
October 14, 2010 at 11:35 p.m. UTC
don't forget about lldp. will this feature be updated.
October 31, 2010 at 2:38 p.m. UTC
L2PT does not 'tunnel' the frames at all. The only thing it does is changing the destination mac address (ingress and egress), so that the frames are not punted to the CPU, but forwarded.
LLDP transparency is also supported on recent releases.
You can just configure l2protocol-tunnel and l2protocol-tunnel point-to-point on the interface to enable transparency for all the supported protocols.
Obviously you should to that on edge ports only, because if you that on a uplink you will break STP/VTP/CDP etc, which can cause a loop.
November 23, 2011 at 3:10 a.m. UTC
While Tunneling end to end PAgP , when i do sh/no sh on the L2pT Tunnel port, the time taken to detect the link failure on the other side is approximately 60 sec , and vice versa if i do another side of the tunneled interface as sh/no sh same time .. Is this the expected one.? or ??
February 8, 2015 at 2:30 p.m. UTC
Does this command flap the interface?
February 19, 2015 at 12:24 p.m. UTC
Regarding stp bpdus, the reason for not being read by the ISP switches is the following.
"An ingress edge switch rewrites the destination MAC address of the PDUs received on a Layer 2 tunnel port with the Cisco proprietary multicast address (01-00-0c-cd-cd-d0). The PDU is then flooded to the native VLAN of the Layer 2 tunnel port."