Layer two protocol tunneling

By stretch | Wednesday, July 2, 2008 at 1:56 a.m. UTC

Normally, Cisco switches intercept and process a number of layer two protocols, including CDP, STP, VTP, and others. This can present problems when attempting to make a switch appear completely transparent, as is a common goal of service providers. Full transparency can be achieved with layer 2 protocol tunneling (not to be confused with L2TP).

Switches can be configured to forward CDP, STP, and VTP frames instead of intercepting them. The command to enable basic L2 tunneling is l2protocol-tunnel at interface configuration. By default, this one command disables CDP on the interface and enables tunneling for CDP, STP, and VTP, as seen in the running configuration:

interface GigabitEthernet0/1
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 no cdp enable

The switch will transparently forward incoming CDP/STP/VTP frames out other similarly configured interfaces in the same VLAN. We can inspect the traffic statistics with show l2protocol-tunnel:

Switch# show l2protocol-tunnel
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0

Port       Protocol Shutdown  Drop      Encapsulation Decapsulation Drop
                Threshold Threshold Counter       Counter       Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi0/1      cdp           ----      ----             4             0             0
       stp           ----      ----           117             0             0
       vtp           ----      ----             0             0             0
       ---           ----      ----          ----          ----          ----
       ---           ----      ----          ----          ----          ----
       ---           ----      ----          ----          ----          ----

Note the three seemingly useless lines at the end of the output. These lines present additional information when tunneling is expanded to include point-to-point protocols PAgP, LACP, and UDLD with the command l2protocol-tunnel point-to-point. Similar to the base command, the interface is automatically configured to include each of these protocols individually:

interface GigabitEthernet0/1
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp
 l2protocol-tunnel point-to-point pagp
 l2protocol-tunnel point-to-point lacp
 l2protocol-tunnel point-to-point udld
 no cdp enable

The forwarding statistics now include all six protocols:

Switch# show l2protocol-tunnel
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0

Port       Protocol Shutdown  Drop      Encapsulation Decapsulation Drop
                Threshold Threshold Counter       Counter       Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi0/1      cdp           ----      ----            10             0             0
       stp           ----      ----           292             0             0
       vtp           ----      ----             0             0             0
       pagp          ----      ----             0             0             0
       lacp          ----      ----             0             0             0
       udld          ----      ----             0             0             0

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Switching

Comments


Benmoon (guest)
July 8, 2008 at 3:13 a.m. UTC

Thanks for insight article. So where would this employed in a typical Campus LAN environment?


pello (guest)
August 16, 2008 at 6:48 p.m. UTC

@Benmoon l2pt is not really designed for campus networks. It's really useful when you have a layer 2 domain (like spanning-tree) splited in many parts due to a service provider network. Generally this feature is used within VPLS services.

Troubleshooting this feature could reside in modifying MTU/jumbo frames support depending the path length across you tunneled frames.


David Lai (guest)
December 30, 2009 at 12:04 a.m. UTC

Can this be used to bridge what was once separate broadcast domains together by "tunneling" through intermediate layer 3 devices?


A guest
February 15, 2010 at 9:33 a.m. UTC

Find this one when I was searching if l2protocol-tunnel could be mixed with l2protocol-tunnel point-to-point on the same interface. Seems so...

Still have a doubt though, on catalyst manuals they do a "spanning-tree bpdufilter enable" when configuring l2protocol-tunnel point-to-point.


eric (guest)
March 14, 2010 at 11:48 a.m. UTC

Is this what "QinQ" uses?


jsicuran
October 14, 2010 at 11:35 p.m. UTC

don't forget about lldp. will this feature be updated.


lost-carrier (guest)
October 31, 2010 at 2:38 p.m. UTC

L2PT does not 'tunnel' the frames at all. The only thing it does is changing the destination mac address (ingress and egress), so that the frames are not punted to the CPU, but forwarded.

LLDP transparency is also supported on recent releases.

You can just configure l2protocol-tunnel and l2protocol-tunnel point-to-point on the interface to enable transparency for all the supported protocols.

Obviously you should to that on edge ports only, because if you that on a uplink you will break STP/VTP/CDP etc, which can cause a loop.


Guest (guest)
November 23, 2011 at 3:10 a.m. UTC

While Tunneling end to end PAgP , when i do sh/no sh on the L2pT Tunnel port, the time taken to detect the link failure on the other side is approximately 60 sec , and vice versa if i do another side of the tunneled interface as sh/no sh same time .. Is this the expected one.? or ??


A guest
February 8, 2015 at 2:30 p.m. UTC

Does this command flap the interface?


antstratis (guest)
February 19, 2015 at 12:24 p.m. UTC

Regarding stp bpdus, the reason for not being read by the ISP switches is the following.

"An ingress edge switch rewrites the destination MAC address of the PDUs received on a Layer 2 tunnel port with the Cisco proprietary multicast address (01-00-0c-cd-cd-d0). The PDU is then flooded to the native VLAN of the Layer 2 tunnel port."

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/l2pt.html

Comments have closed for this article due to its age.