Layer 2 Protocol Tunneling
Layer 2 protocol tunneling (L2PT) is achieved by encapsulating the PDUs at the ingress PE
device before transmitting them over the service provider network. The encapsulation prevents the
PDUs from being processed by the switches in the SP network. At the egress PE device, the
encapsulated packets are de-encapsulated, and transmitted to the CE device.
The encapsulation used for different types of networks is as follows:
- VLAN/VMAN – The Destination Address (DA)
MAC of the Layer 2 PDU is changed to the L2PT DA MAC. The switch shall also add any VLAN tags
that may be required to the Layer 2 PDU before transmitting over the SP network.
- VPLS/VPWS – The DA MAC of the Layer 2 PDU is changed to L2PT DA MAC. The
Layer 2 PDU is then treated like any other data packet by the MPLS
stack. The MPLS stack shall add the labels and L2 headers as per its configuration to the Layer
2 PDU before transmitting over the SP network.
- VXLAN – The DA MAC of the Layer 2 PDU is changed to L2PT DA MAC at the ingress
remote tunnel end-point (RTEP). The modified packet is then encapsulated into a VXLAN packet
and sent over the network. At the egress RTEP, the packet is lifted to the CPU for L2PT
processing. After VXLAN decapsulation, the DA MAC is changed from L2PT MAC to the protocol MAC
and is sent on the access ports of the tenant VLAN.
Tunneling is configured on a service by specifying a tunneling action for each interface of the
service. The possible actions are:
- Tunnel – Configuring an interface of a service to tunnel for a protocol
enables the interface to tunnel PDUs of the configured protocol that are received by the
underlying port of the interface. Any PDUs that are received in its native format are tunneled
instead of processing locally by the switch. Any PDUs of the protocol that are received in its
encapsulated format are dropped by the switch (receiving an encapsulated packet on an interface
configured to tunnel is considered proof of network misconfiguration, or loops).
- Encapsulate/Decapsulate – Configuring an interface of a service to encapsulate or
de-encapsulate for a protocol enables the interface to transmit and receive PDUs of that
protocol in its encapsulated format. Native PDUs of the protocol may still be received by the
underlying port of the interface, but they will not be tunneled and instead are processed
locally by the switch.
- None – Configuring an interface of a service to none for protocol marks
the interface as not participating in tunneling for that protocol. Native PDUs of the protocol
that are received on the underlying port of the interface shall either be processed locally by
the switch or be tunneled by another service which is configured to tunnel that protocol.
Encapsulated PDUs that are received on the interface are treated like any other L2 packet.
An operator can specify a
CoS value for the tunneled PDUs. This
can be useful since some L2 protocols may have a higher priority than others (for example,
STP may be considered higher priority than
LLDP). If a CoS value is specified for a protocol for which tunneling is enabled, the
switch will transmit the encapsulated PDUs for that protocol with the operator specified CoS
towards the network. The CoS value specified by the operator is transmitted on the SP network as
follows:
- VLAN/VMAN – The CoS value is written to the
PRI bits of the outermost VLAN tag if available.
- VPLS/VPWS – The CoS value is written to the
EXP bits of the outermost MPLS label. The action taken by the switch for PDUs of a protocol is
as described in the following table.
- VXLAN – The CoS value configured on the profile attached to the access port is
written to the PRI bits of the outer VLAN header of the VXLAN encapsulated frames before
transmitting them to other RTEPs.
As VXLAN tunneled packets cross L3 boundaries in the underlay network, the CoS can
get lost when traversing L3 boundaries. An operator may choose to configure a Differentiated
Services Code Point (DSCP) that needs to be set in the outer IP header of the encapsulated
packets. If the packet encapsulated into the VXLAN tunnel is an IP packet, the DSCP from inner IP
header is typically copied to DSCP of the outer IP header. A configuration option is provided to
overwrite this outer DSCP value. In case of L2 protocols (which do not have an inner DSCP), the
configured DSCP value is set in the outer IP header.
Table 1. L2 PDU Actions
| Ingress Action |
Egress Action |
Switch Action |
| None or Encap/Decap |
NA |
Process locally |
| Tunnel |
None |
Discard PDU at egress |
| Tunnel |
Tunnel |
Tx PDU natively |
| Tunnel |
Encap/Decap |
Tx PDU encapsulated |
The action taken by the switch for encapsulated PDUs for a protocol is as described in the
following table.
Table 2. L2 Encapsulated PDU Actions
| Service has at least one I/F with tunnel action |
Ingress Action |
Egress Action |
Switch Action |
| No |
None or Encap/Decap |
None or Encap/Decap |
Forward |
| Yes |
None or Tunnel |
NA |
Discard packet at ingress |
| Yes |
Encap/Decap |
None |
Discard packet at egress |
| Yes |
Encap/Decap |
Tunnel |
Tx PDU natively |
| Yes |
Encap/Decap |
Encap/Decap |
Tx PDU encapsulated |
