Layer two protocol tunneling
Normally, Cisco switches intercept and process a number of layer two protocols, including CDP, STP, VTP, and others. This can present problems when attempting to make a switch appear completely transparent, as is a common goal of service providers. Full transparency can be achieved with layer 2 protocol tunneling (not to be confused with L2TP).
Switches can be configured to forward CDP, STP, and VTP frames instead of intercepting them. The command to enable basic L2 tunneling is l2protocol-tunnel at interface configuration. By default, this one command disables CDP on the interface and enables tunneling for CDP, STP, and VTP, as seen in the running configuration:
interface GigabitEthernet0/1 l2protocol-tunnel cdp l2protocol-tunnel stp l2protocol-tunnel vtp no cdp enable
The switch will transparently forward incoming CDP/STP/VTP frames out other similarly configured interfaces in the same VLAN. We can inspect the traffic statistics with show l2protocol-tunnel:
Switch# show l2protocol-tunnel
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi0/1 cdp ---- ---- 4 0 0
stp ---- ---- 117 0 0
vtp ---- ---- 0 0 0
--- ---- ---- ---- ---- ----
--- ---- ---- ---- ---- ----
--- ---- ---- ---- ---- ----
Note the three seemingly useless lines at the end of the output. These lines present additional information when tunneling is expanded to include point-to-point protocols PAgP, LACP, and UDLD with the command l2protocol-tunnel point-to-point. Similar to the base command, the interface is automatically configured to include each of these protocols individually:
interface GigabitEthernet0/1 l2protocol-tunnel cdp l2protocol-tunnel stp l2protocol-tunnel vtp l2protocol-tunnel point-to-point pagp l2protocol-tunnel point-to-point lacp l2protocol-tunnel point-to-point udld no cdp enable
The forwarding statistics now include all six protocols:
Switch# show l2protocol-tunnel
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi0/1 cdp ---- ---- 10 0 0
stp ---- ---- 292 0 0
vtp ---- ---- 0 0 0
pagp ---- ---- 0 0 0
lacp ---- ---- 0 0 0
udld ---- ---- 0 0 0
About the Author
Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.
Comments
@Benmoon l2pt is not really designed for campus networks. It's really useful when you have a layer 2 domain (like spanning-tree) splited in many parts due to a service provider network. Generally this feature is used within VPLS services.
Troubleshooting this feature could reside in modifying MTU/jumbo frames support depending the path length across you tunneled frames.
Can this be used to bridge what was once separate broadcast domains together by "tunneling" through intermediate layer 3 devices?
Find this one when I was searching if l2protocol-tunnel could be mixed with l2protocol-tunnel point-to-point on the same interface. Seems so...
Still have a doubt though, on catalyst manuals they do a "spanning-tree bpdufilter enable" when configuring l2protocol-tunnel point-to-point.
Is this what "QinQ" uses?
don't forget about lldp. will this feature be updated.
L2PT does not 'tunnel' the frames at all. The only thing it does is changing the destination mac address (ingress and egress), so that the frames are not punted to the CPU, but forwarded.
LLDP transparency is also supported on recent releases.
You can just configure l2protocol-tunnel and l2protocol-tunnel point-to-point on the interface to enable transparency for all the supported protocols.
Obviously you should to that on edge ports only, because if you that on a uplink you will break STP/VTP/CDP etc, which can cause a loop.
While Tunneling end to end PAgP , when i do sh/no sh on the L2pT Tunnel port, the time taken to detect the link failure on the other side is approximately 60 sec , and vice versa if i do another side of the tunneled interface as sh/no sh same time .. Is this the expected one.? or ??
Thanks for insight article. So where would this employed in a typical Campus LAN environment?