Layer 2 Protocol Tunneling

Layer 2 protocol tunneling (L2PT) is achieved by encapsulating the PDUs at the ingress PE device before transmitting them over the service provider network. The encapsulation prevents the PDUs from being processed by the switches in the SP network. At the egress PE device, the encapsulated packets are de-encapsulated, and transmitted to the CE device.

The encapsulation used for different types of networks is as follows:

VLAN/VMAN – The Destination Address (DA) MAC of the Layer 2 PDU is changed to the L2PT DA MAC. The switch shall also add any VLAN tags that may be required to the Layer 2 PDU before transmitting over the SP network.
VPLS/VPWS – The DA MAC of the Layer 2 PDU is changed to L2PT DA MAC. The Layer 2 PDU is then treated like any other data packet by the MPLS stack. The MPLS stack shall add the labels and L2 headers as per its configuration to the Layer 2 PDU before transmitting over the SP network.
VXLAN – The DA MAC of the Layer 2 PDU is changed to L2PT DA MAC at the ingress remote tunnel end-point (RTEP). The modified packet is then encapsulated into a VXLAN packet and sent over the network. At the egress RTEP, the packet is lifted to the CPU for L2PT processing. After VXLAN decapsulation, the DA MAC is changed from L2PT MAC to the protocol MAC and is sent on the access ports of the tenant VLAN.

Tunneling is configured on a service by specifying a tunneling action for each interface of the service. The possible actions are:

Tunnel – Configuring an interface of a service to tunnel for a protocol enables the interface to tunnel PDUs of the configured protocol that are received by the underlying port of the interface. Any PDUs that are received in its native format are tunneled instead of processing locally by the switch. Any PDUs of the protocol that are received in its encapsulated format are dropped by the switch (receiving an encapsulated packet on an interface configured to tunnel is considered proof of network misconfiguration, or loops).
Encapsulate/Decapsulate – Configuring an interface of a service to encapsulate or de-encapsulate for a protocol enables the interface to transmit and receive PDUs of that protocol in its encapsulated format. Native PDUs of the protocol may still be received by the underlying port of the interface, but they will not be tunneled and instead are processed locally by the switch.
None – Configuring an interface of a service to none for protocol marks the interface as not participating in tunneling for that protocol. Native PDUs of the protocol that are received on the underlying port of the interface shall either be processed locally by the switch or be tunneled by another service which is configured to tunnel that protocol. Encapsulated PDUs that are received on the interface are treated like any other L2 packet.

An operator can specify a CoS value for the tunneled PDUs. This can be useful since some L2 protocols may have a higher priority than others (for example, STP may be considered higher priority than LLDP). If a CoS value is specified for a protocol for which tunneling is enabled, the switch will transmit the encapsulated PDUs for that protocol with the operator specified CoS towards the network. The CoS value specified by the operator is transmitted on the SP network as follows:

VLAN/VMAN – The CoS value is written to the PRI bits of the outermost VLAN tag if available.
VPLS/VPWS – The CoS value is written to the EXP bits of the outermost MPLS label. The action taken by the switch for PDUs of a protocol is as described in the following table.
VXLAN – The CoS value configured on the profile attached to the access port is written to the PRI bits of the outer VLAN header of the VXLAN encapsulated frames before transmitting them to other RTEPs.

As VXLAN tunneled packets cross L3 boundaries in the underlay network, the CoS can get lost when traversing L3 boundaries. An operator may choose to configure a Differentiated Services Code Point (DSCP) that needs to be set in the outer IP header of the encapsulated packets. If the packet encapsulated into the VXLAN tunnel is an IP packet, the DSCP from inner IP header is typically copied to DSCP of the outer IP header. A configuration option is provided to overwrite this outer DSCP value. In case of L2 protocols (which do not have an inner DSCP), the configured DSCP value is set in the outer IP header.

Table 1. L2 PDU Actions
Ingress Action	Egress Action	Switch Action
None or Encap/Decap	NA	Process locally
Tunnel	None	Discard PDU at egress
Tunnel	Tunnel	Tx PDU natively
Tunnel	Encap/Decap	Tx PDU encapsulated

The action taken by the switch for encapsulated PDUs for a protocol is as described in the following table.

Table 2. L2 Encapsulated PDU Actions
Service has at least one I/F with tunnel action	Ingress Action	Egress Action	Switch Action
No	None or Encap/Decap	None or Encap/Decap	Forward
Yes	None or Tunnel	NA	Discard packet at ingress
Yes	Encap/Decap	None	Discard packet at egress
Yes	Encap/Decap	Tunnel	Tx PDU natively
Yes	Encap/Decap	Encap/Decap	Tx PDU encapsulated

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Layer 2 Protocol Tunneling