Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Layer 2 Protocol Tunneling

 

Understanding Layer 2 Protocol Tunneling

Juniper Networks Ethernet switches and routers use Layer 2 protocol tunneling (L2PT) to send Layer 2 protocol data units (PDUs) across the network and deliver them to devices that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

You can also use L2PT to tunnel protocols between two locally-connected user-to-network interfaces (UNIs) in the same broadcast domain, but in that case, the device floods protocol packets in the VLAN instead of rewriting the packets with the tunnel MAC address.

See Feature Explorer for the list of devices that support L2PT.

Benefits of Layer 2 Protocol Tunneling

  • Enables you to run supported Layer 2 protocols in a tunnel across a service provider network to remote sites.

  • Provides a single spanning-tree protocol domain for subscribers across a service provider network.

How Layer 2 Protocol Tunneling Works

L2PT works by encapsulating Layer 2 PDUs, tunneling them across a service provider network, and decapsulating them for delivery to their destination switches. The ingress service provider edge (PE) device encapsulates Layer 2 PDUs by rewriting the PDUs’ destination media access control (MAC) addresses before forwarding them onto the service provider network. The devices in the service provider network treat these encapsulated PDUs as multicast Ethernet packets. Upon receipt of these PDUs, the egress PE devices decapsulate them by replacing the destination MAC addresses with the address of the Layer 2 protocol that is being tunneled before forwarding the PDUs to their destination devices.

When a PE port configured for Layer 2 protocol tunneling receives a control packet for a supported Layer 2 protocol, the PE device rewrites the multicast destination MAC address with the predefined multicast tunnel MAC address 01:00:0C:CD:CD:D0. The PE device then sends the modified packet onto the provider network. The packet travels across the provider network transparently across the service provider network with the tunnel MAC address. All devices on the provider network treat these packets as multicast Ethernet packets and deliver them to all PE devices for the customer. The egress PE devices receive all the control PDUs with the tunnel MAC address, identify the packet type by doing deeper packet inspection, and replace the destination MAC address with the appropriate destination MAC address. The egress PE devices send out the modified PDUs to the customer PE devices, and the original MAC address is restored when the packets reach the destination ports.

The L2PT protocol is valid for all types of packets, such as untagged, tagged, and Q-in-Q tagged packets.

If a PE device receives a packet on a tunnel interface that already has a destination MAC address of 01:00:0C:CD:CD:D0, the device puts the port into an error state and shuts down the port. You can clear this error condition on an interface using the CLI by entering the clear error mac-rewrite interface interface-name command on the following devices that support L2PT:

  • MX Series and ACX Series routers

  • EX Series switches that use Enhanced Layer 2 Software (ELS)—EX2300, EX3400, EX4300, EX4600, EX4650, and EX9200 switches

  • QFX Series switches

Figure 1 illustrates an example of the L2PT process with EX Series switches in a service provider network that are configured to tunnel LLDP packets on a service VLAN with Q-in-Q tunneling enabled.

Figure 1: L2PT LLDP Example
L2PT LLDP Example
  1. Customer Switch D sends an LLDP PDU to the service provider network that is ultimately intended for the other switches in the customer network.
  2. The receiving provider switch rewrites the LLDP destination MAC address with the L2PT destination MAC address, and sends the frame with the encapsulated LLDP PDU to the other switches in the service provider network.
  3. When the other service provider switches receive the frame, they detect the L2PT destination MAC address, restore the LLDP destination MAC address, and forward it to Customer Switches A, B, and C.

MX Series Router Support for Layer 2 Protocol Tunneling

MX Series routers support tunneling the following Layer 2 PDUs:

  • Cisco Discovery Protocol (CDP)—MAC address 01:00:0C:CC:CC:CC

  • Per-VLAN Spanning Tree Protocol (PVSTP)—MAC address 01:00:0C:CC:CC:CD

  • Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)—MAC address 01:80:C2:00:00:00

  • VLAN Trunking Protocol (VTP)—MAC address 01:00:0C:CC:CC:CC

You can configure L2PT on an interface using the mac-rewrite CLI command at the [edit protocols layer2-control] hierarchy level.

Layer 2 protocol tunneling is supported on MX Series routers with Enhanced (Dense Port Concentrators) DPCs and Enhanced Queuing DPCs. See Table 2 for a list of the supported DPCs. Layer 2 protocol tunneling is supported on all Modular Port Concentrators (MPCs).

Note

Layer 2 protocol tunneling is not supported on Rev-A DPCs on MX Series routers because of microcode space limitations.

Layer 2 protocol tunneling and MAC rewrite are supported in VPLS, but only certain hardware configurations are supported.

Table 1 shows the MPCs and Enhanced DPCs supported when configuring Layer 2 protocol tunneling and VPLS.

Table 1: MAC Rewrite and VPLS Configurations

CE-Facing Interface

PE-Core Facing Interface

Layer 2 Protocol Tunneling

MPC

MPC

Yes

MPC

Enhanced DPC

Yes

Enhanced DPC

MPC

Yes

Enhanced DPC

Enhanced DPC

No

Table 2 lists the DPCs that support the Layer 2 tunneling protocol.

Table 2: DPCs Supported for Layer 2 Protocol Tunneling

DPC Name

DPC Model Number

Gigabit Ethernet

Gigabit Ethernet Enhanced DPC with SFP

DPCE-R-40GE-SFP

Gigabit Ethernet Enhanced Ethernet Services DPC with SFP

DPCE-X-40GE-SFP

Gigabit Ethernet Enhanced Queuing Ethernet Services DPC with SFP

DPCE-X-Q-40GE-SFP

Gigabit Ethernet Enhanced Queuing IP Services DPCs with SFP

DPCE-R-Q-20GE-SFP

Gigabit Ethernet Enhanced Queuing IP Services DPCs with SFP

DPCE-R-Q-40GE-SFP

10-Gigabit Ethernet

10-Gigabit Ethernet Enhanced DPCs with XFP

DPCE-R-2XGE-XFP

10-Gigabit Ethernet Enhanced DPCs with XFP

DPCE-R-4XGE-XFP

10-Gigabit Ethernet Enhanced Ethernet Services DPC with XFP

DPCE-X-4XGE-XFP

10-Gigabit Ethernet Enhanced Queuing Ethernet Services DPC with XFP

DPCE-X-Q-4XGE-XFP

10-Gigabit Ethernet Enhanced Queuing IP Services DPC with XFP

DPCE-R-Q-4XGE-XFP

Multi-Rate Ethernet

Multi-Rate Ethernet Enhanced DPC with SFP and XFP

DPCE-R-20GE-2XGE

Multi-Rate Ethernet Enhanced Ethernet Services DPC with SFP and XFP

DPCE-X-20GE-2XGE

Multi-Rate Ethernet Enhanced Queuing IP Services DPC with SFP and XFP

DPCE-R-Q-20GE-2XGE

Tri-Rate Ethernet

Tri-Rate Enhanced DPC

DPCE-R-40GE-TX

Tri-Rate Enhanced Ethernet Services DPC

DPCE-X-40GE-TX

Note

When a device sends a RADIUS access request, the Chargeable-User-Identity parameter is an empty field. For more information about configuring RADIUS, see the Junos Subscriber Access Configuration Guide.

ACX Series Router Support for Layer 2 Protocol Tunneling

On ACX Series routers, you can configure L2PT on an interface using the mac-rewrite CLI command at the[edit protocols layer2-control] hierarchy level.

L2PT on ACX Series routers supports tunneling the Layer 2 PDUs listed in Table 3, with the indicated Ethernet encapsulation type and MAC address:

Table 3: Layer 2 Protocol Tunneling Support on ACX Series Routers

Protocol

Ethernet Encapsulation

MAC Address

802.1X (IEEE 802.1X authentication)

Ether (0x888E)

01:80:C2:00:00:03

802.3ah (IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM))

Ether (0x8809)

01:80:C2:00:00:02

Cisco Discovery Protocol (CDP)

LLC (0xAAAA03)

01:00:0C:CC:CC:CC

Ethernet local management interface (E-LMI)

Ether (0x88EE)

01:80:C2:00:00:07

Link Aggregation Control Protocol (LACP)

Ether (0x8809)

01:80:C2:00:00:02

Link Layer Discovery Protocol (LLDP)

Ether (0x88CC)

01:80:C2:00:00:0E

Multiple MAC Registration Protocol (MMRP)

Ether (0x88F5)

01:80:C2:00:00:20

MVRP VLAN Registration Protocol (MVRP)

Ether (0x88F6)

01:80:c2:00:00:21

Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)

LLC (0x424203)

01:80:C2:00:00:00

VLAN Trunking Protocol (VTP)

LLC (0xAAAA03)

01:00:0C:CC:CC:CC

EX Series and QFX Series Switch Support for Layer 2 Protocol Tunneling

Table 4 lists the Layer 2 protocols that can be tunneled on QFX Series and EX Series switches. QFX Series and EX Series switches that use the Enhanced Layer 2 Software (ELS) configuration style share the same configuration hierarchy to set up L2PT. The configuration hierarchy is different for EX Series switches that do not support ELS. For details on the configuration options to enable tunneling the supported protocols on each type of switch, and the releases in which those options are supported, see either of the following configuration statements:

  • QFX Series switches and EX Series ELS switches (EX2300, EX3400, EX4300, EX4600, EX4650, and EX9200): protocol statement in the [edit protocols layer2-control mac-rewrite interface interface-name] hierarchy.

  • Non-ELS switches (EX2200, EX3300, EX4200, EX4500, and EX4450): layer2-protocol-tunneling statement in the [edit vlans vlan-name dot1q-tunneling] hierarchy.

All switches that support L2PT can tunnel the listed protocols unless otherwise noted in the second column.

Table 4: L2PT Protocols Supported on EX Series and QFX Series Switches

Layer 2 Protocol That Can Be Tunneled

Support Notes and Exceptions

802.1X authentication

Not supported on EX2300 multigigabit model switches.

802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM)

If you enable L2PT for untagged OAM LFM packets, do not configure LFM on the corresponding access interface.

Cisco Discovery Protocol (CDP)

You can’t configure CDP on EX Series and QFX Series switches. However, L2PT can tunnel CDP PDUs.

Ethernet local management interface (E-LMI)

Not supported on EX2300 multigigabit model switches.

Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP)

 

Link Aggregation Control Protocol (LACP)

If you enable L2PT for untagged LACP packets, do not configure Link Aggregation Control Protocol (LACP) on the corresponding access interface.

Link Layer Discovery Protocol (LLDP)

 

Multiple MAC Registration Protocol (MMRP)

Not supported on EX2300 multigigabit model switches.

MVRP VLAN Registration Protocol (MVRP)

 

Per-VLAN Spanning Tree and Per-VLAN Spanning Tree Plus (PVST+) Protocols

Only supported on EX9200 switches.

Use this option to enable tunneling VSTP instead of the vstp option.

Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)

 

Unidirectional Link Detection (UDLD)

Not supported on EX2300 multigigabit model switches.

You can’t configure UDLD on EX Series and QFX Series switches. However, L2PT can tunnel UDLD PDUs.

VLAN Spanning Tree Protocol (VSTP)

EX9200 switches support tunneling VSTP packets but do not have a separate option to enable tunneling VSTP. The option that enables tunneling PVST and PVST+ (pvstp) also enables tunneling VSTP.

VLAN Trunking Protocol (VTP)

You can’t configure VTP on EX Series and QFX Series switches. However, L2PT can tunnel VTP PDUs.

The egress PE switches use the encapsulated MAC address to identify the tunneled Layer 2 control protocol and do the destination MAC address rewrite. Table 5 lists the supported protocols and their corresponding encapsulation types and MAC addresses on EX Series and QFX Series switches:

Table 5: Protocol Destination MAC Addresses

Protocol

Ethernet Encapsulation

MAC Address

802.1X

Ether-II

01:80:C2:00:00:03

802.3ah

Ether-II

01:80:C2:00:00:02

CDP

LLC/SNAP

01:00:0C:CC:CC:CC

E-LMI

Ether-II

01:80:C2:00:00:07

GVRP

LLC/SNAP

01:80:C2:00:00:21

LACP

Ether-II

01:80:C2:00:00:02

LLDP

Ether-II

01:80:C2:00:00:0E

MMRP

Ether-II

01:80:C2:00:00:20

MVRP

Ether-II

01:80:C2:00:00:21

PVSTP

LLC/SNAP

01:00:0C:CC:CC:CD

STP, RSTP, MSTP

LLC/SNAP

01:80:C2:00:00:00

UDLD

LLC/SNAP

01:00:0C:CC:CC:CC

VSTP

LLC/SNAP

01:00:0C:CC:CC:CD

VTP

LLC/SNAP

01:00:0C:CC:CC:CC

VLAN and Q-in-Q Tunneling Configuration Requirements for Configuring L2PT on Switches

On switches, you enable L2PT on a per-VLAN basis. When you enable L2PT for a particular Layer 2 protocol on a VLAN, all access interfaces are considered to be customer-facing interfaces and all trunk interfaces are considered to be service provider network-facing interfaces. You cannot configure the specified protocol on the access interfaces. L2PT only acts on logical interfaces with family ethernet-switching. The switch floods L2PT PDUs to all trunk and access ports within a given S-VLAN.

Note

Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If an access interface does receive L2PT-tunneled PDUs, there might be a loop in the network, and the device will shut down the interface.

You must configure and enable Q-in-Q tunneling (802.1Q VLAN encapsulation) before you can configure L2PT. For information about Q-in-Q tunneling on EX9200 switches, see Configuring VLAN Encapsulation and related topics, or for other EX Series and QFX Series switches, see Understanding Q-in-Q Tunneling and VLAN Translation .

For QFX Series and ELS EX Series switches, you configure L2PT using statements in the [edit layer2-control mac-rewrite interface interface-name] hierarchy to enable MAC address rewriting for Layer 2 protocol tunneling for a configured Q-in-Q interface. For details, see Configuring Layer 2 Protocol Tunneling.

For non-ELS EX Series switches, you configure L2PT using statements in the [edit vlans vlan-name dot1q-tunneling] hierarchy, which means Q-in-Q tunneling is (and must be) enabled. For details on configuring L2PT on non-ELS EX Series switches, see Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support.

Note

If the switch receives untagged or priority-tagged Layer 2 control PDUs to be tunneled, then you must configure the switch to map untagged and priority-tagged packets to an L2PT-enabled VLAN. For more information on assigning untagged and priority-tagged packets to VLANs, see Understanding Q-in-Q Tunneling and VLAN Translation and Configuring Q-in-Q Tunneling on EX Series Switches.

Configuring Layer 2 Protocol Tunneling

Note

This topic applies to Junos OS for routers, QFX Series switches, and EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. To configure Layer 2 protocol tunneling (L2PT) on EX Series switches that do not use ELS, see Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.

With Layer 2 protocol tunneling (L2PT) enabled, Juniper Networks Ethernet routers and switches can send Layer 2 protocol data units (PDUs) across the network and deliver them to devices that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

You can also use L2PT to tunnel protocols between two locally-connected user-to-network interfaces (UNIs) in the same broadcast domain, but in that case, the protocol packets are simply flooded in the VLAN instead of being rewritten with the tunnel MAC address.

To configure L2PT, you enable MAC address rewriting for Layer 2 protocol tunneling, which installs the destination multicast tunnel MAC address 01:00:0C:CD:CD:D0 in the MAC table. At the same time, you select the Layer 2 protocol to be tunneled from the list of available options for the type of switch you are configuring (see protocol).

Use the following guidelines when you configure L2PT:

  • Layer 2 protocol tunneling must be configured on the interfaces at both ends of the tunnel.

  • You can enable Layer 2 protocol tunneling for untagged interfaces and single-identifier tagged interfaces only, not for double-identifier tagged interfaces.

    For single-identifier tagged ports, configure a logical interface with the native VLAN identifier. This configuration associates the untagged control packets with a logical interface.

  • MX Series routers must have enhanced queuing Dense Port Concentrators (DPCs) to support Layer 2 protocol tunneling.

  • To configure L2PT on a QFX Series switch or an EX Series switch, you must first configure a Q-in-Q interface or group of interfaces, and configure L2PT on a specified Q-in-Q interface.

Note

When you enable L2PT tunneling for a protocol on one user-to-network interface (UNI) in a bridge domain or VLAN, you should also configure all UNIs in the bridge domain or VLAN to tunnel the same protocol for consistent behavior. In that case, those UNIs can receive non-tunneled packets, and tunneled packets are forwarded through the network-to-network interfaces (NNIs).

  1. To configure L2PT on a specified interface:
    [edit protocols]

    user@device# set layer2-control mac-rewrite interface interface-name protocol protocol-name
    Note

    You can select only one Layer 2 protocol at a time. If you want an interface to support tunneling more than one Layer 2 protocol, you must enter the mac-rewrite statement separately to select each of the protocols you want to tunnel.

    For example, on an EX9200 switch, the following commands configure a UNI (xe-1/1/3) for Q-in-Q tunneling and MAC address rewriting for STP:

    set interfaces xe-1/1/3 flexible-vlan-tagging

    set interfaces xe-1/1/3 encapsulation extended-vlan-bridge

    set interfaces xe-1/1/3 unit 10 encapsulation vlan-bridge

    set interfaces xe-1/1/3 unit 10 vlan-id 10

    set interfaces xe-1/1/3 native-vlan-id 10

    set interfaces xe-1/1/3 unit 10 input-vlan-map push

    set interfaces xe-1/1/3 unit 10 input-vlan-map vlan-id 100

    set interfaces xe-1/1/3 unit 10 output-vlan-map pop

    set protocols layer2-control mac-rewrite interface xe-1/1/3 protocol stp

    set vlans v10 interface xe-1/1/3.10



    On an ELS EX Series switch or a QFX Series switch, the following commands configure a UNI (ge-0/0/0) for Q-in-Q tunneling and MAC address rewriting for STP and LLDP:

    set interfaces ge-0/0/0 flexible-vlan-tagging

    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge

    set interfaces ge-0/0/0 unit 10 vlan-id 10

    set interfaces ge-0/0/0 native-vlan-id 10

    set interfaces ge-0/0/0 unit 10 input-vlan-map push

    set interfaces ge-0/0/0 unit 10 output-vlan-map pop

    set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol stp

    set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lldp

    set vlans v10 interface ge-0/0/0.10




    When configuring L2PT on switches in the case where you want to tunnel protocols to or from two locally-connected UNIs on the same switch, although you still configure the mac-rewrite statement to specify the protocol being tunneled, the switch simply floods the protocol packets within the VLAN instead of rewriting the MAC address. You use the same configuration for both interfaces, and you don’t need to use a loopback cable.

    For example, the following commands configure two UNIs (ge-0/0/0 and ge-0/0/1) in VLAN v20 for Q-in-Q tunneling on a switch, and the two ports on the switch exchange LACP and LLDP packets:

    set vlans v20 vlan-id 20

    set interfaces ge-0/0/0 unit 20 vlan-id 20

    set interfaces ge-0/0/0 unit 20 family ethernet-switching vlan members v20

    set interfaces ge-0/0/0 flexible-vlan-tagging

    set interfaces ge-0/0/0 native-vlan-id 20

    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge

    set interfaces ge-0/0/0 unit 20 input-vlan-map push

    set interfaces ge-0/0/0 unit 20 output-vlan-map pop

    set interfaces ge-0/0/1 unit 20 vlan-id 20

    set interfaces ge-0/0/1 unit 20 family ethernet-switching vlan members v20

    set interfaces ge-0/0/1 flexible-vlan-tagging

    set interfaces ge-0/0/1 native-vlan-id 20

    set interfaces ge-0/0/1 encapsulation extended-vlan-bridge

    set interfaces ge-0/0/1 unit 20 input-vlan-map push

    set interfaces ge-0/0/1 unit 20 output-vlan-map pop

    set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lacp

    set protocols layer2-control mac-rewrite interface ge-0/0/0 protocol lldp

    set protocols layer2-control mac-rewrite interface ge-0/0/1 protocol lacp

    set protocols layer2-control mac-rewrite interface ge-0/0/1 protocol lldp

    set vlans v20 interface ge-0/0/0.20

    set vlans v20 interface ge-0/0/1.20



  2. To check the protocols configured for L2PT on an interface, enter the show mac-rewrite interface CLI command with the interface name.

    For example:

    user@device> show mac-rewrite interface ge-0/0/0

    If you don’t specify an interface name, the show mac-rewrite interface command displays all interfaces with L2PT configured.

    For example:

    user@switch> show mac-rewrite interface
  3. To detect and clear an interface configured with L2PT that appears to be blocked due to a MAC rewrite error, see Clearing a MAC Rewrite Error on an Interface with Layer 2 Protocol Tunneling.

Clearing a MAC Rewrite Error on an Interface with Layer 2 Protocol Tunneling

On devices with Layer 2 protocol tunneling (L2PT) configured, customer-facing ports should not receive packets with the L2PT MAC address as the destination address unless you have a network topology or configuration error. Under these conditions, when an interface with L2PT enabled receives an L2PT packet, the interface state becomes disabled due to a MAC rewrite error, and you must subsequently re-enable it to continue operation.

  1. To check whether an interface with L2PT enabled has become disabled due to a MAC rewrite error condition, use the show interfaces operational command:

    If the interface status includes Disabled, Physical link is Down or Enabled, Physical link is Down and the MAC-REWRITE Error field is Detected, then the device detected a MAC rewrite error that contributed to the interface being down. When the device did not detect any MAC rewrite errors, the MAC-REWRITE Error field is None.

    For example, the following output shows the device detected a MAC rewrite error on the given interface:

    user@switch> show interfaces ge-0/0/2
  2. On routers, QFX Series switches, and EX Series switches that use the Enhanced Layer 2 Software configuration style, you can clear a MAC rewrite error from the Junos CLI.

    To clear a MAC rewrite error from an interface that has L2PT enabled, use the clear error mac-rewrite operational command:

Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support

Note

This task applies only to switches that do not support the Enhanced Layer 2 Software (ELS) configuration style.

An EX Series switch can use Layer 2 protocol tunneling (L2PT) to send Layer 2 protocol data units (PDUs) across a service provider network and deliver them to EX Series switches at a remote location. This feature is useful when you have a network that includes remote sites that are connected across a service provider network and you want to run Layer 2 protocols on switches connected across the service provider network.

Tunneled Layer 2 PDUs do not normally arrive at high rate. If the tunneled Layer 2 PDUs do arrive at high rate, there might be a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs to isolate the problem. You can use the shutdown-threshold statement to do so. However, if you do not want to completely shut down the interface, you can use the drop-threshold statement to configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.

There are no default settings for drop-threshold and shutdown-threshold, so unless you explicitly configure these values, the switch doesn’t enforce any thresholds. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors.

You can specify a drop threshold value without specifying a shutdown threshold value, and you can specify a shutdown threshold value without specifying a drop threshold value. If you specify both threshold values, then the drop threshold value must be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you try to commit the configuration, the commit will fail.

Note

You can’t configure L2PT and VLAN translation with the mapping statement on the same switch.

Note

If the switch receives untagged Layer 2 control PDUs to be tunnelled, then you must configure the switch to map untagged (native) packets to an L2PT-enabled VLAN. Otherwise, the switch discards untagged Layer 2 control PDU packets. For more information, see Understanding Q-in-Q Tunneling and VLAN Translation and Configuring Q-in-Q Tunneling on EX Series Switches.

To configure L2PT on an EX Series switch:

  1. Because L2PT operates under the Q-in-Q tunneling configuration, you must enable Q-in-Q tunneling before you can configure L2PT. Enable Q-in-Q tunneling on VLAN customer-1:
    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling
  2. Enable L2PT for the Layer 2 protocol you want to tunnel, on the VLAN:
    • To enable L2PT for a specific protocol (here, STP):

      [edit]

      user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp
    • To enable L2PT for all supported protocols:

      [edit]

      user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling all
  3. (Optional) Configure the drop threshold:Note

    If you also configure the shutdown threshold, ensure that you configure the drop threshold value to be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you to try to commit the configuration changes, the commit will fail.

    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50
  4. (Optional) Configure the shutdown threshold:Note

    If you also configure the drop threshold, ensure that you configure the shutdown threshold value to be greater than or equal to the drop threshold value. If the shutdown threshold value is less than the drop threshold value and you to try to commit the configuration changes, the commit will fail.

    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100
    Note

    After an interface becomes disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command. Otherwise, the interface remains disabled.

Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support

Note

This example uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style.

Layer 2 protocol tunneling (L2PT) enables service providers to send Layer 2 protocol data units (PDUs) across the provider’s cloud and deliver them to EX Series switches that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

Note

You can’t configure both L2PT and VLAN translation configured with the mapping statement on the same VLAN. However, you can configure L2PT on one VLAN on a switch and VLAN translation on a different VLAN that doesn’t have L2PT configured.

This example describes how to configure L2PT:

Requirements

This example uses the following hardware and software components:

  • Six EX Series switches, with three each at two customer sites, with one of the switches at each site designated as the provider edge (PE) device

  • Junos OS Release 10.0 or later for EX Series switches

Overview and Topology

L2PT enables you to send Layer 2 PDUs across a service provider network and deliver them to EX Series switches that are not part of the local broadcast domain.

Figure 2 shows a customer network that includes two sites that are connected across a service provider network. Site 1 contains three switches connected in a Layer 2 network, with Switch A designated as a provider edge (PE) device in the service provider network. Site 2 contains a Layer 2 network with a similar topology to that of Site 1, with Switch D designated as a PE device.

Figure 2: L2PT Topology
L2PT Topology

When you enable L2PT on a VLAN, you also must enable Q-in-Q tunneling. Q-in-Q tunneling ensures that Switches A, B, C, D, E, and F are part of the same broadcast domain.

This example uses STP as the Layer 2 protocol being tunneled, but you could substitute any of the supported protocols for STP. You can also use the all keyword to enable L2PT for all supported Layer 2 protocols.

Tunneled Layer 2 PDUs do not normally arrive at a high rate. If the tunneled Layer 2 PDUs do arrive at a high rate, you might have a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs so that the problem can be isolated. Alternately, if you do not want to completely shut down the interface, you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.

The drop-theshold configuration statement enables you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold must be less than or equal to the shutdown threshold. If the drop threshold is greater than the shutdown threshold and you try to commit the configuration, the commit will fail.

The shutdown-threshold configuration statement enables you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the specified interface is disabled. The shutdown threshold must be greater than or equal to the drop threshold. You can specify a drop threshold without specifying a shutdown threshold, and you can specify a shutdown threshold without specifying a drop threshold. If you do not specify these thresholds, then no thresholds are enforced. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors.

In this example, we will configure both a drop threshold and a shutdown threshold to show how this is done.

If L2PT-encapsulated packets are received on an access interface, the switch reacts as it does when there is a loop between the service provider network and the customer network and shuts down (disables) the access interface.

Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command or else the interface will remain disabled.

Configuration

To configure L2PT, perform these tasks:

CLI Quick Configuration

To quickly configure L2PT, copy the following commands and paste them into the switch terminal window of each PE device (in Figure 2, Switch A and Switch D are the PE devices):

[edit]

set vlans customer-1 dot1q-tunneling

set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp

set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp drop-threshold 50

set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp shutdown-threshold 100

Step-by-Step Procedure

To configure L2PT, perform these tasks on each PE device (in Figure 2, Switch A and Switch D are the PE devices):

  1. Enable Q-in-Q tunneling on VLAN customer-1:
    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling
  2. Enable L2PT for STP on VLAN customer-1:
    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp
  3. Configure the drop threshold as 50:
    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50
  4. Configure the shutdown threshold as 100:
    [edit]

    user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100

Results

Check the results of the configuration:

Verification

To verify that L2PT is working correctly, perform this task:

Verify That L2PT Is Working Correctly

Purpose

Verify that Q-in-Q tunneling and L2PT are enabled.

Action

Check to see that Q-in-Q tunneling and L2PT are enabled on each PE device (Switch A and Switch D are the PE devices):

user@switchA> show vlans extensive customer-1


Check to see that L2PT is tunneling STP on VLAN customer-1 and that drop-threshold and shutdown-threshold have been configured:



Check the state of the interfaces on which L2PT has been enabled, including what kind of operation (encapsulation or decapsulation) they are performing:

Meaning

The show vlans extensive customer-1 command shows that Q-in-Q tunneling and L2PT have been enabled. The show ethernet-switching layer2-protocol-tunneling vlan customer-1 command shows that L2PT is tunneling STP on VLAN customer-1,the drop threshold is set to 50, and the shutdown threshold is set to 100. The show ethernet-switching layer2-protocol-tunneling interface command shows the type of operation being performed on each interface, the state of each interface and, if the state is Shutdown, the reason why the interface is shut down.