Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure L2PT over VXLAN Tunnels

Configure L2PT over VXLAN on EVPN-VXLAN bridged overlay (BO) network leaf devices to transparently forward L2 protocol traffic over the VXLAN tunnels in the network.

Overview

When you enable L2PT over VXLAN on an access interface for a Layer 2 (L2) protocol, the leaf device doesn't process Bridge Protocol Data Units (BPDUs) coming in on the interface for that protocol. The local device simply encapsulates the protocol BPDUs and floods the packets in the broadcast domain (VLAN) on the corresponding VXLAN tunnels to the remote VXLAN tunnel endpoints (VTEPs) in the network. The remote VTEP leaf devices de-encapsulate the protocol traffic and forward the traffic to the receiving hosts in the VLAN.

Topology

In this example, we have an EVPN-VXLAN bridged overlay fabric with VXLAN tunnels configured between all of the leaf devices. See Figure 1.

  • Host B on VLAN-1 is the source for the protocol control traffic that should pass transparently to other hosts in VLAN-1 through the EVPN-VXLAN BO network using L2PT over VXLAN.

  • Host B is behind customer edge (CE) device TOR 1.

  • TOR 1 is multihomed to Leaf 1 and Leaf 2, so TOR 1 will load-balance (LB) the incoming traffic between those two leaf devices.

  • On Leaf 1 and Leaf 2, we use aggregated Ethernet interface ae5 as the access interface toward TOR 1 and Host B on which we enable L2PT over VXLAN.

Figure 1: L2PT Over VXLAN Tunnels Topology L2PT Over VXLAN Tunnels Topology

How L2PT over VXLAN Works

Figure 1 shows L2PT over VXLAN in action as follows:

  1. When protocol control traffic from Host B on VLAN-1 arrives at TOR 1, TOR 1 load-balances the traffic between Leaf 1 and Leaf 2. In this case, TOR 1 sends the traffic to the access-side interface on Leaf 2 that has L2PT over VXLAN enabled (ae5).

  2. Leaf 2 doesn't process the protocol control traffic, but encapsulates it and transparently floods it to all the VXLAN tunnels on VLAN-1 toward its neighboring leaf devices (Leaf 1, Leaf 3, and Leaf 4).

  3. The destination leaf devices de-encapsulate the protocol traffic and forward the traffic toward their hosts on VLAN-1 (Host A and Host E). The leaf devices don't forward the de-encapsulated traffic toward the hosts on VLAN-2 (Host C and Host D).

    For multihomed destinations, the multihoming peer leaf device that is the designated forwarder (DF) for the Ethernet segment (ES) forwards the traffic toward the destination host. In this case, on Leaf 4, ae4 is the DF for multihomed TOR 3. so Leaf 4 forwards the traffic toward Host E on VLAN-1. Leaf 3 receives the flooded traffic from the VXLAN tunnel on VLAN-1, but because it isn't the DF for TOR 3, it doesn't forward the de-encapsulated traffic toward TOR 3 and Host E.

We show enabling L2PT over VXLAN on the access-side interfaces of the leaf devices that are connected to the protocol traffic source, Leaf 1 and Leaf 2. If the destination hosts need to transparently return protocol traffic, you must enable L2PT over VXLAN on the access interfaces of the leaf devices that are connected to those hosts as well.

The ingress leaf device broadcasts tagged packets for the configured protocols to each VXLAN tunnel on the incoming packet’s VLAN, in this case, VLAN-1. If the incoming protocol BPDU is untagged, the device uses the native VLAN to flood the traffic to the VTEP interfaces on the device. As a result, you must configure a native VLAN ID for this feature to also work for untagged traffic.

Keep the following items in mind when you plan to use L2PT over VXLAN, which you configure using statements at the [edit protocols layer2-control l2pt interface] hierarchy level:

  • You can't configure an interface to process protocol traffic and also transparently forward traffic over VXLAN tunnels for the same protocol. For example, you can't configure the device to process control BPDUs coming in on interface xe-0/0/1 for a protocol such as Link Layer Discovery Protocol (LLDP):

    And also configure the device to transparently forward LLDP control BPDUs over the VXLAN tunnels when those BPDUs come in on the same interface:

  • You can't configure the regular L2PT MAC rewrite feature (see mac-rewrite) and the L2PT over VXLAN feature on the same interface. For example, for LLDP control BPDUs coming in on interface xe-0/0/1, you can't configure:

    and also configure L2PT over VXLAN for LLDP on the same interface:

  • The available protocol options might differ on different platforms. See Layer 2 Protocol Tunneling over VXLAN Tunnels in EVPN-VXLAN Bridged Overlay Networks for details. For example, some platforms transparently tunnel certain protocols by default (such as STP and other xSTP protocols). Those platforms don’t have L2PT protocol options to explicitly configure those protocols for L2PT over VXLAN.

  • Some supported protocols share the same destination MAC address. When you enable L2PT over VXLAN for a protocol, the device transparently forwards BPDUs for all supported protocols that have the same destination MAC address.

  • You must configure the same protocol options symmetrically on leaf devices that are multihoming peers for the BPDU source device, because either peer device might receive the traffic from the source.

Before You Begin

Set up the EVPN-VXLAN bridged overlay fabric with VXLAN tunnels between the leaf devices as shown in Figure 1. See Bridged Overlay Design and Implementation for an example.

Configure L2PT over VXLAN Tunnels on Leaf Device Access Interfaces

Configure the same steps on access interface ae5 on both Leaf 1 and Leaf 2.
  1. Configure a native VLAN ID for untagged L2 protocol BPDUs, with interface ae5 as a member:
  2. Enable L2PT over VXLAN on ae5:
  3. Configure the protocols you want to be transparently forwarded over the VXLAN tunnels in the fabric.

    In this case we configure Multiple MAC Registration Protocol (MMRP), Multiple VLAN Registration Protocol (MVRP), and Ethernet Local Management Interface (E-LMI) protocol using the corresponding options. See l2pt (Destination Tunnels) for a list of the supported protocol options.

    Configure each protocol you want to tunnel using individual set commands as follows:

    You should configure the same protocol options symmetrically on leaf devices that are multihoming peers for a protocol BPDU source, because either peer device might receive the traffic from the source.

  4. Commit the configuration:

    Leaf 1:

    Leaf 2:

    Note:

    You can't configure L2PT over VXLAN for a protocol on an interface that already has the same protocol configured for the interface.

    For example, if you already configured interface ae5 for LLDP and you try to commit an L2PT over VXLAN configuration for LLDP on ae5, the commit fails with an error message such as the following:

  5. Check the configuration for L2PT over VXLAN on the ae5 interface on Leaf 1 and Leaf 2:

    Leaf 1:

    Leaf 2:

  6. Use the show l2pt interface CLI command to verify the interfaces and protocols for which L2PT over VXLAN tunnels is enabled, as follows:

    Leaf 1:

    Leaf 2:

    Use host-specific monitoring tools to validate that the protocol BPDUs the source host sends are being transparently received by the remote host devices across the VXLAN tunnels.

Related Documentation