Understanding Layer 2 Protocol Tunneling

Layer 2 protocol tunneling (L2PT) allows service providers or data centers to send customer Layer 2 protocol data units (PDUs) across a cloud. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

For example, a customer might want to run STP between remote sites that are connected by a service provider network. In this case, the STP PDUs sent by the customer equipment must be tunneled through the service provider network. Otherwise, the customer STP PDUs would be processed by the STP protocol running on the service provider switches.

Note: Layer 2 protocol tunneling is not supported on QFabric systems.

This topic includes:

Layer 2 Protocols Supported by L2PT

• 802.1X authentication
• 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM)

  Note: If you enable L2PT for untagged OAM LFM (Operation, Administration, and Maintenance of link fault management) packets, do not configure link fault management (LFM) on the corresponding access interface.

• Cisco Discovery Protocol (CDP)
• Ethernet local management interface (E-LMI)
• MVRP VLAN Registration Protocol (MVRP)
• Link Aggregation Control Protocol (LACP)

  Note: If you enable L2PT for untagged LACP packets, do not configure Link Aggregation Control Protocol (LACP) on the corresponding access interface.

• Link Layer Discovery Protocol (LLDP)
• Multiple MAC Registration Protocol (MMRP)
• Multiple VLAN Registration Protocol (MVRP)
• Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)
• Unidirectional Link Detection (UDLD)
• VLAN Spanning Tree Protocol (VSTP)
• VLAN Trunking Protocol (VTP)

Note: You cannot configure all of these protocols on QFX Series devices. However, you can tunnel all of them through a QFX Series switch using L2PT.

How L2PT Works

L2PT works by encapsulating Layer 2 PDUs, tunneling them across a service provider network, and de-encapsulating them for delivery to their destination switches. L2PT encapsulates Layer 2 PDUs by enabling the ingress provider edge (PE) device to rewrite the PDUs’ destination media access control (DMAC) addresses before forwarding them onto the service provider network. The devices in the service provider network treat these encapsulated PDUs as multicast Ethernet packets. Upon receipt of these PDUs, the egress PE devices de-encapsulate them by replacing the DMAC addresses with the addresses of the Layer 2 protocol that is being tunneled before forwarding the PDUs to their destination switches.

This process is illustrated in Figure 1:

Figure 1: L2PT Example

1. Customer Switch D sends to the service provider network an LLDP PDU that is ultimately intended for the other switches in the customer network.
2. The receiving provider switch adds the L2PT DMAC and sends the frame with the encapsulated LLDP PDU to the other switches in the service provider network.
3. When the other service provider switches receive the frame, they restore the LLDP DMAC and send it to Customer Switches A, B, and C.

Table 1 lists the destination MAC addresses of the supported Layer 2 protocols:

When a PE device receives a Layer 2 control PDU from any of the customer PE devices, it changes the destination MAC address to 01:00:0C:CD:CD:D0. The modified packet is then sent to the provider network. All devices on the provider network treat these packets as multicast Ethernet packets and deliver them to all PE devices in the VLAN. The egress PE devices receive all the control PDUs with the same MAC address (01:00:0C:CD:CD:D0). Then they identify the packet type by doing deeper packet inspection and replace the destination MAC address 01:00:0C:CD:CD:D0 with the appropriate destination address. The modified PDUs are sent out to the customer PE devices so that the Layer 2 control PDUs are delivered, in their original state, across the provider network. The L2PT protocol is valid for all types of packets (untagged, tagged, and Q-in-Q tagged).

Note: VLAN translation is not compatible with L2PT. (You configure VLAN translation with the mapping swap statement at the [edit vlans interface] hierarchy level.)

L2PT Basics

L2PT is enabled on a per-VLAN basis. When you enable L2PT on a VLAN, all access interfaces are considered to be customer-facing interfaces, all trunk interfaces are considered to be service provider network-facing interfaces, and the specified Layer 2 protocol is disabled on the access interfaces. L2PT acts only on logical interfaces of the family ethernet-switching. L2PT PDUs are flooded to all trunk and access ports within a given service VLAN.

Note: Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If an access interface does receive L2PT-tunneled PDUs, it might mean that there is a loop in the network. As a result, the interface is shut down.

You configure L2PT at the [edit vlans vlan-name dot1q-tunneling] hierarchy level, meaning Q-in-Q tunneling is (and must be) enabled.

Note: If you want to tunnel untagged or priority-tagged Layer 2 control PDUs, then you must configure the switch to map untagged and priority-tagged packets to an L2PT-enabled VLAN. For more information about assigning untagged and priority-tagged packets to VLANs, see Understanding Q-in-Q Tunneling and VLAN Translation.