Layer 2 Protocol Tunneling
Understanding Layer 2 Protocol Tunneling
Juniper Networks Ethernet switches and routers use Layer 2 protocol tunneling (L2PT) to send Layer 2 protocol data units (PDUs) across the network and deliver them to devices that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.
You can also use L2PT to tunnel protocols between two locally-connected user-to-network interfaces (UNIs) in the same broadcast domain, but in that case, the device floods protocol packets in the VLAN instead of rewriting the packets with the tunnel MAC address.
See Feature Explorer for the list of devices that support L2PT.
Benefits of Layer 2 Protocol Tunneling
Enables you to run supported Layer 2 protocols in a tunnel across a service provider network to remote sites.
Provides a single spanning-tree protocol domain for subscribers across a service provider network.
How Layer 2 Protocol Tunneling Works
L2PT works by encapsulating Layer 2 PDUs, tunneling them across a service provider network, and decapsulating them for delivery to their destination switches. The ingress service provider edge (PE) device encapsulates Layer 2 PDUs by rewriting the PDUs’ destination media access control (MAC) addresses before forwarding them onto the service provider network. The devices in the service provider network treat these encapsulated PDUs as multicast Ethernet packets. Upon receipt of these PDUs, the egress PE devices decapsulate them by replacing the destination MAC addresses with the address of the Layer 2 protocol that is being tunneled before forwarding the PDUs to their destination devices.
When a PE port configured for Layer 2 protocol tunneling receives a control packet for a supported Layer 2 protocol, the PE device rewrites the multicast destination MAC address with the predefined multicast tunnel MAC address 01:00:0C:CD:CD:D0. The PE device then sends the modified packet onto the provider network. The packet travels across the provider network transparently across the service provider network with the tunnel MAC address. All devices on the provider network treat these packets as multicast Ethernet packets and deliver them to all PE devices for the customer. The egress PE devices receive all the control PDUs with the tunnel MAC address, identify the packet type by doing deeper packet inspection, and replace the destination MAC address with the appropriate destination MAC address. The egress PE devices send out the modified PDUs to the customer PE devices, and the original MAC address is restored when the packets reach the destination ports.
The L2PT protocol is valid for all types of packets, such as untagged, tagged, and Q-in-Q tagged packets.
If a PE device receives a packet on a tunnel interface that already has a destination MAC address of 01:00:0C:CD:CD:D0, the device puts the port into an error state and shuts down the port. You can clear this error condition on an interface using the CLI by entering the clear error mac-rewrite interface interface-name command on the following devices that support L2PT:
MX Series and ACX Series routers
EX Series switches that use Enhanced Layer 2 Software (ELS)—EX2300, EX3400, EX4300, EX4600, EX4650, and EX9200 switches
QFX Series switches
Figure 1 illustrates an example of the L2PT process with EX Series switches in a service provider network that are configured to tunnel LLDP packets on a service VLAN with Q-in-Q tunneling enabled.

- Customer Switch D sends an LLDP PDU to the service provider network that is ultimately intended for the other switches in the customer network.
- The receiving provider switch rewrites the LLDP destination MAC address with the L2PT destination MAC address, and sends the frame with the encapsulated LLDP PDU to the other switches in the service provider network.
- When the other service provider switches receive the frame, they detect the L2PT destination MAC address, restore the LLDP destination MAC address, and forward it to Customer Switches A, B, and C.
MX Series Router Support for Layer 2 Protocol Tunneling
MX Series routers support tunneling the following Layer 2 PDUs:
Cisco Discovery Protocol (CDP)—MAC address 01:00:0C:CC:CC:CC
Per-VLAN Spanning Tree Protocol (PVSTP)—MAC address 01:00:0C:CC:CC:CD
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)—MAC address 01:80:C2:00:00:00
VLAN Trunking Protocol (VTP)—MAC address 01:00:0C:CC:CC:CC
You can configure L2PT on an interface using the mac-rewrite CLI command at the [edit protocols layer2-control] hierarchy level.
Layer 2 protocol tunneling is supported on MX Series routers with Enhanced (Dense Port Concentrators) DPCs and Enhanced Queuing DPCs. See Table 2 for a list of the supported DPCs. Layer 2 protocol tunneling is supported on all Modular Port Concentrators (MPCs).
Layer 2 protocol tunneling is not supported on Rev-A DPCs on MX Series routers because of microcode space limitations.
Layer 2 protocol tunneling and MAC rewrite are supported in VPLS, but only certain hardware configurations are supported.
Table 1 shows the MPCs and Enhanced DPCs supported when configuring Layer 2 protocol tunneling and VPLS.
Table 1: MAC Rewrite and VPLS Configurations
CE-Facing Interface | PE-Core Facing Interface | Layer 2 Protocol Tunneling |
---|---|---|
MPC | MPC | Yes |
MPC | Enhanced DPC | Yes |
Enhanced DPC | MPC | Yes |
Enhanced DPC | Enhanced DPC | No |
Table 2 lists the DPCs that support the Layer 2 tunneling protocol.
Table 2: DPCs Supported for Layer 2 Protocol Tunneling
DPC Name | DPC Model Number |
---|---|
Gigabit Ethernet | |
DPCE-R-40GE-SFP | |
DPCE-X-40GE-SFP | |
Gigabit Ethernet Enhanced Queuing Ethernet Services DPC with SFP | DPCE-X-Q-40GE-SFP |
DPCE-R-Q-20GE-SFP | |
DPCE-R-Q-40GE-SFP | |
10-Gigabit Ethernet | |
DPCE-R-2XGE-XFP | |
DPCE-R-4XGE-XFP | |
DPCE-X-4XGE-XFP | |
10-Gigabit Ethernet Enhanced Queuing Ethernet Services DPC with XFP | DPCE-X-Q-4XGE-XFP |
10-Gigabit Ethernet Enhanced Queuing IP Services DPC with XFP | DPCE-R-Q-4XGE-XFP |
Multi-Rate Ethernet | |
DPCE-R-20GE-2XGE | |
Multi-Rate Ethernet Enhanced Ethernet Services DPC with SFP and XFP | DPCE-X-20GE-2XGE |
Multi-Rate Ethernet Enhanced Queuing IP Services DPC with SFP and XFP | DPCE-R-Q-20GE-2XGE |
Tri-Rate Ethernet | |
DPCE-R-40GE-TX | |
DPCE-X-40GE-TX |
When a device sends a RADIUS access request, the Chargeable-User-Identity parameter is an empty field. For more information about configuring RADIUS, see the Junos Subscriber Access Configuration Guide.
ACX Series Router Support for Layer 2 Protocol Tunneling
On ACX Series routers, you can configure L2PT on an interface using the mac-rewrite CLI command at the[edit protocols layer2-control] hierarchy level.
L2PT on ACX Series routers supports tunneling the Layer 2 PDUs listed in Table 3, with the indicated Ethernet encapsulation type and MAC address:
Table 3: Layer 2 Protocol Tunneling Support on ACX Series Routers
Protocol | Ethernet Encapsulation | MAC Address |
---|---|---|
802.1X (IEEE 802.1X authentication) | Ether (0x888E) | 01:80:C2:00:00:03 |
802.3ah (IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM)) | Ether (0x8809) | 01:80:C2:00:00:02 |
Cisco Discovery Protocol (CDP) | LLC (0xAAAA03) | 01:00:0C:CC:CC:CC |
Ethernet local management interface (E-LMI) | Ether (0x88EE) | 01:80:C2:00:00:07 |
Link Aggregation Control Protocol (LACP) | Ether (0x8809) | 01:80:C2:00:00:02 |
Link Layer Discovery Protocol (LLDP) | Ether (0x88CC) | 01:80:C2:00:00:0E |
Multiple MAC Registration Protocol (MMRP) | Ether (0x88F5) | 01:80:C2:00:00:20 |
MVRP VLAN Registration Protocol (MVRP) | Ether (0x88F6) | 01:80:c2:00:00:21 |
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) | LLC (0x424203) | 01:80:C2:00:00:00 |
VLAN Trunking Protocol (VTP) | LLC (0xAAAA03) | 01:00:0C:CC:CC:CC |
EX Series and QFX Series Switch Support for Layer 2 Protocol Tunneling
Table 4 lists the Layer 2 protocols that can be tunneled on QFX Series and EX Series switches. QFX Series and EX Series switches that use the Enhanced Layer 2 Software (ELS) configuration style share the same configuration hierarchy to set up L2PT. The configuration hierarchy is different for EX Series switches that do not support ELS. For details on the configuration options to enable tunneling the supported protocols on each type of switch, and the releases in which those options are supported, see either of the following configuration statements:
QFX Series switches and EX Series ELS switches (EX2300, EX3400, EX4300, EX4600, EX4650, and EX9200): protocol statement in the [edit protocols layer2-control mac-rewrite interface interface-name] hierarchy.
Non-ELS switches (EX2200, EX3300, EX4200, EX4500, and EX4450): layer2-protocol-tunneling statement in the [edit vlans vlan-name dot1q-tunneling] hierarchy.
All switches that support L2PT can tunnel the listed protocols unless otherwise noted in the second column.
Table 4: L2PT Protocols Supported on EX Series and QFX Series Switches
Layer 2 Protocol That Can Be Tunneled | Support Notes and Exceptions |
---|---|
802.1X authentication | Not supported on EX2300 multigigabit model switches. |
802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) | If you enable L2PT for untagged OAM LFM packets, do not configure LFM on the corresponding access interface. |
Cisco Discovery Protocol (CDP) | You can’t configure CDP on EX Series and QFX Series switches. However, L2PT can tunnel CDP PDUs. |
Ethernet local management interface (E-LMI) | Not supported on EX2300 multigigabit model switches. |
Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) | |
Link Aggregation Control Protocol (LACP) | If you enable L2PT for untagged LACP packets, do not configure Link Aggregation Control Protocol (LACP) on the corresponding access interface. |
Link Layer Discovery Protocol (LLDP) | |
Multiple MAC Registration Protocol (MMRP) | Not supported on EX2300 multigigabit model switches. |
MVRP VLAN Registration Protocol (MVRP) | |
Per-VLAN Spanning Tree and Per-VLAN Spanning Tree Plus (PVST+) Protocols | Only supported on EX9200 switches. Use this option to enable tunneling VSTP instead of the vstp option. |
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) | |
Unidirectional Link Detection (UDLD) | Not supported on EX2300 multigigabit model switches. You can’t configure UDLD on EX Series and QFX Series switches. However, L2PT can tunnel UDLD PDUs. |
VLAN Spanning Tree Protocol (VSTP) | EX9200 switches support tunneling VSTP packets but do not have a separate option to enable tunneling VSTP. The option that enables tunneling PVST and PVST+ (pvstp) also enables tunneling VSTP. |
VLAN Trunking Protocol (VTP) | You can’t configure VTP on EX Series and QFX Series switches. However, L2PT can tunnel VTP PDUs. |
The egress PE switches use the encapsulated MAC address to identify the tunneled Layer 2 control protocol and do the destination MAC address rewrite. Table 5 lists the supported protocols and their corresponding encapsulation types and MAC addresses on EX Series and QFX Series switches:
Table 5: Protocol Destination MAC Addresses
Protocol | Ethernet Encapsulation | MAC Address |
---|---|---|
802.1X | Ether-II | 01:80:C2:00:00:03 |
802.3ah | Ether-II | 01:80:C2:00:00:02 |
CDP | LLC/SNAP | 01:00:0C:CC:CC:CC |
E-LMI | Ether-II | 01:80:C2:00:00:07 |
GVRP | LLC/SNAP | 01:80:C2:00:00:21 |
LACP | Ether-II | 01:80:C2:00:00:02 |
LLDP | Ether-II | 01:80:C2:00:00:0E |
MMRP | Ether-II | 01:80:C2:00:00:20 |
MVRP | Ether-II | 01:80:C2:00:00:21 |
PVSTP | LLC/SNAP | 01:00:0C:CC:CC:CD |
STP, RSTP, MSTP | LLC/SNAP | 01:80:C2:00:00:00 |
UDLD | LLC/SNAP | 01:00:0C:CC:CC:CC |
VSTP | LLC/SNAP | 01:00:0C:CC:CC:CD |
VTP | LLC/SNAP | 01:00:0C:CC:CC:CC |
VLAN and Q-in-Q Tunneling Configuration Requirements for Configuring L2PT on Switches
On switches, you enable L2PT on a per-VLAN basis. When you enable L2PT for a particular Layer 2 protocol on a VLAN, all access interfaces are considered to be customer-facing interfaces and all trunk interfaces are considered to be service provider network-facing interfaces. You cannot configure the specified protocol on the access interfaces. L2PT only acts on logical interfaces with family ethernet-switching. The switch floods L2PT PDUs to all trunk and access ports within a given S-VLAN.
Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If an access interface does receive L2PT-tunneled PDUs, there might be a loop in the network, and the device will shut down the interface.
You must configure and enable Q-in-Q tunneling (802.1Q VLAN encapsulation) before you can configure L2PT. For information about Q-in-Q tunneling on EX9200 switches, see Configuring VLAN Encapsulation and related topics, or for other EX Series and QFX Series switches, see Understanding Q-in-Q Tunneling and VLAN Translation .
For QFX Series and ELS EX Series switches, you configure L2PT using statements in the [edit layer2-control mac-rewrite interface interface-name] hierarchy to enable MAC address rewriting for Layer 2 protocol tunneling for a configured Q-in-Q interface. For details, see Configuring Layer 2 Protocol Tunneling.
For non-ELS EX Series switches, you configure L2PT using statements in the [edit vlans vlan-name dot1q-tunneling] hierarchy, which means Q-in-Q tunneling is (and must be) enabled. For details on configuring L2PT on non-ELS EX Series switches, see Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support.
If the switch receives untagged or priority-tagged Layer 2 control PDUs to be tunneled, then you must configure the switch to map untagged and priority-tagged packets to an L2PT-enabled VLAN. For more information on assigning untagged and priority-tagged packets to VLANs, see Understanding Q-in-Q Tunneling and VLAN Translation and Configuring Q-in-Q Tunneling on EX Series Switches.
See also
Configuring Layer 2 Protocol Tunneling
This topic applies to Junos OS for routers, QFX Series switches, and EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. To configure Layer 2 protocol tunneling (L2PT) on EX Series switches that do not use ELS, see Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.
With Layer 2 protocol tunneling (L2PT) enabled, Juniper Networks Ethernet routers and switches can send Layer 2 protocol data units (PDUs) across the network and deliver them to devices that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.
You can also use L2PT to tunnel protocols between two locally-connected user-to-network interfaces (UNIs) in the same broadcast domain, but in that case, the protocol packets are simply flooded in the VLAN instead of being rewritten with the tunnel MAC address.
To configure L2PT, you enable MAC address rewriting for Layer 2 protocol tunneling, which installs the destination multicast tunnel MAC address 01:00:0C:CD:CD:D0 in the MAC table. At the same time, you select the Layer 2 protocol to be tunneled from the list of available options for the type of switch you are configuring (see protocol).
Use the following guidelines when you configure L2PT:
Layer 2 protocol tunneling must be configured on the interfaces at both ends of the tunnel.
You can enable Layer 2 protocol tunneling for untagged interfaces and single-identifier tagged interfaces only, not for double-identifier tagged interfaces.
For single-identifier tagged ports, configure a logical interface with the native VLAN identifier. This configuration associates the untagged control packets with a logical interface.
MX Series routers must have enhanced queuing Dense Port Concentrators (DPCs) to support Layer 2 protocol tunneling.
To configure L2PT on a QFX Series switch or an EX Series switch, you must first configure a Q-in-Q interface or group of interfaces, and configure L2PT on a specified Q-in-Q interface.
For information on configuring Q-in-Q tunneling on EX9200 switches, see Configuring VLAN Encapsulation, Configuring Inner and Outer TPIDs and VLAN IDs, and Stacking a VLAN Tag.
For information on configuring Q-in-Q tunneling on other EX Series switches that use the Enhanced Layer 2 Software (ELS) configuration style, see Configuring Q-in-Q Tunneling on EX Series Switches with ELS Support.
For information on configuring Q-in-Q tunneling on EX Series switches that do not use the ELS configuration style, see Configuring Q-in-Q Tunneling on EX Series Switches.
For information on configuring Q-in-Q tunneling on QFX Series switches, see Configuring Q-in-Q Tunneling on QFX Series Switches.
When you enable L2PT tunneling for a protocol on one user-to-network interface (UNI) in a bridge domain or VLAN, you should also configure all UNIs in the bridge domain or VLAN to tunnel the same protocol for consistent behavior. In that case, those UNIs can receive non-tunneled packets, and tunneled packets are forwarded through the network-to-network interfaces (NNIs).
- To configure L2PT on a specified interface:
[edit protocols]
user@device# set layer2-control mac-rewrite interface interface-name protocol protocol-nameNote You can select only one Layer 2 protocol at a time. If you want an interface to support tunneling more than one Layer 2 protocol, you must enter the mac-rewrite statement separately to select each of the protocols you want to tunnel.
For example, on an EX9200 switch, the following commands configure a UNI (xe-1/1/3) for Q-in-Q tunneling and MAC address rewriting for STP:
set interfaces xe-1/1/3 flexible-vlan-tagging
set interfaces xe-1/1/3 encapsulation extended-vlan-bridge
set interfaces xe-1/1/3 unit 10 encapsulation vlan-bridge
set interfaces xe-1/1/3 unit 10 vlan-id 10
set interfaces xe-1/1/3 native-vlan-id 10
set interfaces xe-1/1/3 unit 10 input-vlan-map push
set interfaces xe-1/1/3 unit 10 input-vlan-map vlan-id 100
set interfaces xe-1/1/3 unit 10 output-vlan-map pop
set protocols layer2-control mac-rewrite interface xe-1/1/3 protocol stp
set vlans v10 interface xe-1/1/3.10On an ELS EX Series switch or a QFX Series switch, the following commands configure a UNI (ge-0/0/0) for Q-in-Q tunneling and MAC address rewriting for STP and LLDP:
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
set interfaces ge-0/0/0 unit 10 vlan-id 10
set interfaces ge-0/0/0 native-vlan-id 10
set interfaces ge-0/0/0 unit 10 input-vlan-map push
set interfaces ge-0/0/0 unit 10 output-vlan-map pop
set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol stp
set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lldp
set vlans v10 interface ge-0/0/0.10When configuring L2PT on switches in the case where you want to tunnel protocols to or from two locally-connected UNIs on the same switch, although you still configure the mac-rewrite statement to specify the protocol being tunneled, the switch simply floods the protocol packets within the VLAN instead of rewriting the MAC address. You use the same configuration for both interfaces, and you don’t need to use a loopback cable.
For example, the following commands configure two UNIs (ge-0/0/0 and ge-0/0/1) in VLAN v20 for Q-in-Q tunneling on a switch, and the two ports on the switch exchange LACP and LLDP packets:
set vlans v20 vlan-id 20
set interfaces ge-0/0/0 unit 20 vlan-id 20
set interfaces ge-0/0/0 unit 20 family ethernet-switching vlan members v20
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 20
set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
set interfaces ge-0/0/0 unit 20 input-vlan-map push
set interfaces ge-0/0/0 unit 20 output-vlan-map pop
set interfaces ge-0/0/1 unit 20 vlan-id 20
set interfaces ge-0/0/1 unit 20 family ethernet-switching vlan members v20
set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 20
set interfaces ge-0/0/1 encapsulation extended-vlan-bridge
set interfaces ge-0/0/1 unit 20 input-vlan-map push
set interfaces ge-0/0/1 unit 20 output-vlan-map pop
set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lacp
set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lldp
set protocols layer2-control mac-rewrite interface ge-0/0/1 protocol lacp
set protocols layer2-control mac-rewrite interface ge-0/0/1 protocol lldp
set vlans v20 interface ge-0/0/0.20
set vlans v20 interface ge-0/0/1.20 - To check the protocols configured for L2PT on an interface,
enter the show mac-rewrite interface CLI command with the
interface name.
For example:
user@device> show mac-rewrite interface ge-0/0/0
Interface Protocols ge-0/0/0 LLDP STPIf you don’t specify an interface name, the show mac-rewrite interface command displays all interfaces with L2PT configured.
For example:
user@switch> show mac-rewrite interface
Interface Protocols ge-0/0/0 LACP LLDP ge-0/0/1 LACP LLDP - To detect and clear an interface configured with L2PT that appears to be blocked due to a MAC rewrite error, see Clearing a MAC Rewrite Error on an Interface with Layer 2 Protocol Tunneling.
Clearing a MAC Rewrite Error on an Interface with Layer 2 Protocol Tunneling
On devices with Layer 2 protocol tunneling (L2PT) configured, customer-facing ports should not receive packets with the L2PT MAC address as the destination address unless you have a network topology or configuration error. Under these conditions, when an interface with L2PT enabled receives an L2PT packet, the interface state becomes disabled due to a MAC rewrite error, and you must subsequently re-enable it to continue operation.
- To check whether an interface with L2PT enabled has become
disabled due to a MAC rewrite error condition, use the show interfaces operational command:user@switch> show interfaces interface-name
If the interface status includes Disabled, Physical link is Down or Enabled, Physical link is Down and the MAC-REWRITE Error field is Detected, then the device detected a MAC rewrite error that contributed to the interface being down. When the device did not detect any MAC rewrite errors, the MAC-REWRITE Error field is None.
For example, the following output shows the device detected a MAC rewrite error on the given interface:
user@switch> show interfaces ge-0/0/2
Physical interface: ge-0/0/2, Disabled, Physical link is Down Interface index: 150, SNMP ifIndex: 531 Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 1000mbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, Source filtering: Disabled Ethernet-Switching Error: None, MAC-REWRITE Error: Detected, Loopback: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online, Media type: Fiber Device flags : Present Running
- On routers, QFX Series switches, and EX Series switches
that use the Enhanced Layer 2 Software configuration style, you
can clear a MAC rewrite error from the Junos CLI.
To clear a MAC rewrite error from an interface that has L2PT enabled, use the clear error mac-rewrite operational command:
user@switch> clear error mac-rewrite interface-name
Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support
This task applies only to switches that do not support the Enhanced Layer 2 Software (ELS) configuration style.
An EX Series switch can use Layer 2 protocol tunneling (L2PT) to send Layer 2 protocol data units (PDUs) across a service provider network and deliver them to EX Series switches at a remote location. This feature is useful when you have a network that includes remote sites that are connected across a service provider network and you want to run Layer 2 protocols on switches connected across the service provider network.
Tunneled Layer 2 PDUs do not normally arrive at high rate. If the tunneled Layer 2 PDUs do arrive at high rate, there might be a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs to isolate the problem. You can use the shutdown-threshold statement to do so. However, if you do not want to completely shut down the interface, you can use the drop-threshold statement to configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.
There are no default settings for drop-threshold and shutdown-threshold, so unless you explicitly configure these values, the switch doesn’t enforce any thresholds. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors.
You can specify a drop threshold value without specifying a shutdown threshold value, and you can specify a shutdown threshold value without specifying a drop threshold value. If you specify both threshold values, then the drop threshold value must be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you try to commit the configuration, the commit will fail.
You can’t configure L2PT and VLAN translation with the mapping statement on the same switch.
If the switch receives untagged Layer 2 control PDUs to be tunnelled, then you must configure the switch to map untagged (native) packets to an L2PT-enabled VLAN. Otherwise, the switch discards untagged Layer 2 control PDU packets. For more information, see Understanding Q-in-Q Tunneling and VLAN Translation and Configuring Q-in-Q Tunneling on EX Series Switches.
To configure L2PT on an EX Series switch:
- Because L2PT operates under the Q-in-Q tunneling configuration,
you must enable Q-in-Q tunneling before you can configure L2PT. Enable
Q-in-Q tunneling on VLAN customer-1:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling - Enable L2PT for the Layer 2 protocol you want to
tunnel, on the VLAN:
To enable L2PT for a specific protocol (here, STP):
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stpTo enable L2PT for all supported protocols:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling all
- (Optional) Configure the drop threshold:
Note If you also configure the shutdown threshold, ensure that you configure the drop threshold value to be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you to try to commit the configuration changes, the commit will fail.
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50 - (Optional) Configure the shutdown threshold:
Note If you also configure the drop threshold, ensure that you configure the shutdown threshold value to be greater than or equal to the drop threshold value. If the shutdown threshold value is less than the drop threshold value and you to try to commit the configuration changes, the commit will fail.
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100Note After an interface becomes disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command. Otherwise, the interface remains disabled.
Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support
This example uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style.
Layer 2 protocol tunneling (L2PT) enables service providers to send Layer 2 protocol data units (PDUs) across the provider’s cloud and deliver them to EX Series switches that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.
You can’t configure both L2PT and VLAN translation configured with the mapping statement on the same VLAN. However, you can configure L2PT on one VLAN on a switch and VLAN translation on a different VLAN that doesn’t have L2PT configured.
This example describes how to configure L2PT:
Requirements
This example uses the following hardware and software components:
Six EX Series switches, with three each at two customer sites, with one of the switches at each site designated as the provider edge (PE) device
Junos OS Release 10.0 or later for EX Series switches
Overview and Topology
L2PT enables you to send Layer 2 PDUs across a service provider network and deliver them to EX Series switches that are not part of the local broadcast domain.
Figure 2 shows a customer network that includes two sites that are connected across a service provider network. Site 1 contains three switches connected in a Layer 2 network, with Switch A designated as a provider edge (PE) device in the service provider network. Site 2 contains a Layer 2 network with a similar topology to that of Site 1, with Switch D designated as a PE device.

When you enable L2PT on a VLAN, you also must enable Q-in-Q tunneling. Q-in-Q tunneling ensures that Switches A, B, C, D, E, and F are part of the same broadcast domain.
This example uses STP as the Layer 2 protocol being tunneled, but you could substitute any of the supported protocols for STP. You can also use the all keyword to enable L2PT for all supported Layer 2 protocols.
Tunneled Layer 2 PDUs do not normally arrive at a high rate. If the tunneled Layer 2 PDUs do arrive at a high rate, you might have a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs so that the problem can be isolated. Alternately, if you do not want to completely shut down the interface, you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.
The drop-theshold configuration statement enables you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold must be less than or equal to the shutdown threshold. If the drop threshold is greater than the shutdown threshold and you try to commit the configuration, the commit will fail.
The shutdown-threshold configuration statement enables you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the specified interface is disabled. The shutdown threshold must be greater than or equal to the drop threshold. You can specify a drop threshold without specifying a shutdown threshold, and you can specify a shutdown threshold without specifying a drop threshold. If you do not specify these thresholds, then no thresholds are enforced. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors.
In this example, we will configure both a drop threshold and a shutdown threshold to show how this is done.
If L2PT-encapsulated packets are received on an access interface, the switch reacts as it does when there is a loop between the service provider network and the customer network and shuts down (disables) the access interface.
Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command or else the interface will remain disabled.
Configuration
To configure L2PT, perform these tasks:
CLI Quick Configuration
To quickly configure L2PT, copy the following commands and paste them into the switch terminal window of each PE device (in Figure 2, Switch A and Switch D are the PE devices):
[edit]
set vlans customer-1 dot1q-tunneling
set vlans customer-1 dot1q-tunneling
layer2-protocol-tunneling stp
set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp
drop-threshold 50
set vlans
customer-1 dot1q-tunneling layer2-protocol-tunneling stp shutdown-threshold
100
Step-by-Step Procedure
To configure L2PT, perform these tasks on each PE device (in Figure 2, Switch A and Switch D are the PE devices):
- Enable Q-in-Q tunneling on VLAN customer-1:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling - Enable L2PT for STP on VLAN customer-1:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp - Configure the drop threshold as 50:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50 - Configure the shutdown threshold as 100:
[edit]
user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100
Results
Check the results of the configuration:
Verification
To verify that L2PT is working correctly, perform this task:
Verify That L2PT Is Working Correctly
Purpose
Verify that Q-in-Q tunneling and L2PT are enabled.
Action
Check to see that Q-in-Q tunneling and L2PT are enabled on each PE device (Switch A and Switch D are the PE devices):
user@switchA> show vlans extensive customer-1
VLAN: customer–1, Created at: Thu Jun 25 05:07:38 2009 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Dot1q Tunneling status: Enabled Layer2 Protocol Tunneling status: Enabled Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 3 (Active = 0) ge-0/0/7.0, untagged, access ge-0/0/8.0, untagged, access ge-0/0/9.0, untagged, access
Check to see that L2PT is tunneling STP on VLAN customer-1 and that drop-threshold and shutdown-threshold have been configured:
user@switchA> show ethernet-switching layer2-protocol-tunneling vlan customer-1
Layer2 Protocol Tunneling VLAN information: VLAN Protocol Drop Shutdown Threshold Threshold customer–1 stp 50 100
Check the state of the interfaces on which L2PT has been enabled, including what kind of operation (encapsulation or decapsulation) they are performing:
Layer2 Protocol Tunneling information: Interface Operation State Description ge-0/0/0.0 Encapsulation Shutdown Shutdown threshold exceeded ge-0/0/1.0 Decapsulation Shutdown Loop detected ge-0/0/2.0 Decapsulation Active
Meaning
The show vlans extensive customer-1 command shows that Q-in-Q tunneling and L2PT have been enabled. The show ethernet-switching layer2-protocol-tunneling vlan customer-1 command shows that L2PT is tunneling STP on VLAN customer-1,the drop threshold is set to 50, and the shutdown threshold is set to 100. The show ethernet-switching layer2-protocol-tunneling interface command shows the type of operation being performed on each interface, the state of each interface and, if the state is Shutdown, the reason why the interface is shut down.