Catalyst 3750 Metro Switch Software Configuration Guide, 12.2(58)SE
Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
Download this chapter
Configuring IEEE 802.1Q and Layer 2 Protocol TunnelingConfiguring IEEE 802.1Q and Layer 2 Protocol Tunneling
Download the complete book
Catalyst 3750 Metro Switch Software Configuration Guide, Release 12.2(58)SE Catalyst 3750 Metro Switch Software Configuration Guide, Release 12.2(58)SE (PDF - 8 MB)
 Feedback

Table Of Contents

Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling

Understanding IEEE 802.1Q Tunneling

Configuring IEEE 802.1Q Tunneling

Default IEEE 802.1Q Tunneling Configuration

IEEE 802.1Q Tunneling Configuration Guidelines

Native VLANs

System MTU

IEEE 802.1Q Tunneling and Other Features

Configuring an IEEE 802.1Q Tunneling Port

Configuring VLAN Mapping

Default VLAN Mapping Configuration

Mapping Customer VLANs to Service-Provider VLANs

Mapping Customer IEEE 802.1Q Tunnel VLANs to Service-Provider VLANs

Configuring IEEE 802.1ad

802.1ad Configuration Guidelines

Configuring 802.1ad on EtherChannels

Configuration Example for 802.1ad End-to-End PAgP EtherChannels between CE Devices

Understanding Layer 2 Protocol Tunneling

Configuring Layer 2 Protocol Tunneling

Default Layer 2 Protocol Tunneling Configuration

Layer 2 Protocol Tunneling Configuration Guidelines

Configuring Layer 2 Tunneling

Configuring Layer 2 Tunneling for EtherChannels

Configuring the Service-Provider Edge Switch

Configuring the Customer Switch

Monitoring and Maintaining Tunneling and Mapping Status


Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling

Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks. Tunneling is a feature designed for service providers who carry traffic of multiple customers across their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers. The Catalyst 3750 Metro switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling, as well as VLAN mapping (VLAN-ID translation).

Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.

This chapter contains these sections:

Understanding IEEE 802.1Q Tunneling

Configuring IEEE 802.1Q Tunneling

Configuring VLAN Mapping

Configuring IEEE 802.1ad

Understanding Layer 2 Protocol Tunneling

Configuring Layer 2 Protocol Tunneling

Monitoring and Maintaining Tunneling and Mapping Status

Note For information about VPNs used with multiprotocol label switching (MPLS), see Chapter 44, "Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS."

Understanding IEEE 802.1Q Tunneling

Service-provider business customers often have specific requirements for VLAN IDs and the number of VLANs to be supported. The VLAN ranges required by different customers in the same service-provider network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the VLAN limit (4096) of the IEEE 802.1Q specification.

Using the IEEE 802.1Q tunneling feature, service providers can use a single VLAN to support customers who have multiple VLANs. Customer VLAN IDs are preserved, and traffic from different customers is segregated within the service-provider infrastructure, even when they appear to be on the same VLAN. Using IEEE 802.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN that is dedicated to tunneling. Each customer requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer's VLANs.

Customer traffic tagged in the normal way with appropriate VLAN IDs come from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is an asymmetric link because one end is configured as an IEEE 802.1Q trunk port and the other end is configured as a tunnel port. You assign the tunnel port interface to an access VLAN ID that is unique to each customer. See Figure 15-1.

Figure 15-1 IEEE 802.1Q Tunnel Ports in a Service-Provider Network

Packets coming from the customer trunk port into the tunnel port on the service-provider edge switch are normally IEEE 802.1Q-tagged with the appropriate VLAN ID. The tagged packets remain intact inside the switch and, when they exit the trunk port into the service-provider network, are encapsulated with another layer of an IEEE 802.1Q tag (called the metro tag) that contains the VLAN ID that is unique to the customer. The original IEEE 802.1Q tag from the customer is preserved in the encapsulated packet. Therefore, packets entering the service-provider infrastructure are double-tagged, with the outer tag containing the customer's access VLAN ID, and the inner VLAN ID being the VLAN of the incoming traffic.

When the double-tagged packet enters another trunk port in a service-provider core switch, the outer tag is stripped as the packet is processed inside the switch. When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 15-2 shows the structure of the double-tagged packet.

Figure 15-2 Normal, IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats

When the packet enters the trunk port of the service-provider egress switch, the outer tag is again stripped as the packet is processed internally on the switch. However, the metro tag is not added when it is sent out the tunnel port on the edge switch into the customer network, and the packet is sent as a normal IEEE 802.1Q-tagged frame to preserve the original VLAN numbers in the customer network.

In Figure 15-1, Customer A was assigned VLAN 30, and Customer B was assigned VLAN 40. Packets entering the edge-switch tunnel ports with IEEE 802.1Q tags are double-tagged when they enter the service-provider network, with the outer tag containing VLAN ID 30 or 40, appropriately, and the inner tag containing the original VLAN number, for example, VLAN 100. Even if both Customers A and B have VLAN 100 in their networks, the traffic remains segregated within the service-provider network because the outer tag is different. With IEEE 802.1Q tunneling, each customer controls its own VLAN numbering space, which is independent of the VLAN numbering space used by other customers and the VLAN numbering space used by the service-provider network.

At the outbound tunnel port, the original VLAN numbers on the customer's network are recovered. It is possible to have multiple levels of tunneling and tagging, but the switch supports only one level in this release.

If the traffic coming from a customer network is not tagged (native VLAN frames), these packets are bridged or routed as if they were normal packets. All packets entering the service-provider network through a tunnel port on an edge switch are treated as untagged packets, whether they are untagged or already tagged with IEEE 802.1Q headers. The packets are encapsulated with the metro tag VLAN ID (set to the access VLAN of the tunnel port) when they are sent through the service-provider network on an IEEE 802.1Q trunk port. The priority field on the metro tag is set to the interface class of service (CoS) priority configured on the tunnel port (the default is zero if none is configured).

The switch supports intelligent IEEE 802.1Q tunneling QoS, or the ability to copy the inner CoS value to the outer CoS value. For more information, see the "Configuring the Trust State on Ports Within the QoS Domain" section on page 34-56 and the "Configuring the CoS Value for an Interface" section on page 34-59.

Configuring IEEE 802.1Q Tunneling

This section includes this information about configuring IEEE 802.1Q tunneling:

Default IEEE 802.1Q Tunneling Configuration

IEEE 802.1Q Tunneling Configuration Guidelines

IEEE 802.1Q Tunneling and Other Features

Configuring an IEEE 802.1Q Tunneling Port

Default IEEE 802.1Q Tunneling Configuration

By default, IEEE 802.1Q tunneling is disabled because the default switchport mode is dynamic auto. Tagging of IEEE 802.1Q native VLAN packets on all IEEE 802.1Q trunk ports is also disabled.

IEEE 802.1Q Tunneling Configuration Guidelines

When you configure IEEE 802.1Q tunneling (QinQ), you should always use an asymmetrical link between the customer device and the edge switch, with the customer device port configured as an IEEE 802.1Q trunk port and the edge switch port configured as a tunnel port.

Assign tunnel ports only to VLANs that are used for tunneling.

To allow data to pass between two private VLANs through a tunnel, configure VLAN translation on the ES ports of the edge switches and use the same VLAN ID on the private VLAN ports of the switches.

Configuration requirements for native VLANs and maximum transmission units (MTUs) are explained in the next sections.

Note The switch does not support IPv6 features with any ES-port specific features, such as QinQ trust.

Native VLANs

When configuring IEEE 802.1Q tunneling on an edge switch, you must use IEEE 802.1Q trunk ports for sending out packets into the service-provider network. However, packets going through the core of the service-provider network might be carried through IEEE 802.1Q trunks, ISL trunks, or nontrunking links. When IEEE 802.1Q trunks are used in these core switches, the native VLANs of the IEEE 802.1Q trunks must not match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the IEEE 802.1Q transmitting trunk port.

See Figure 15-3. VLAN 40 is configured as the native VLAN for the IEEE 802.1Q trunk port from Customer X at the ingress edge switch in the service-provider network (Switch B). Switch A of Customer X sends a tagged packet on VLAN 30 to the ingress tunnel port of Switch B in the service-provider network, which belongs to access VLAN 40. Because the access VLAN of the tunnel port (VLAN 40) is the same as the native VLAN of the edge switch trunk port (VLAN 40), the metro tag is not added to tagged packets received from the tunnel port. The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y.

These are some ways to solve this problem:

Use ISL trunks on standard ports between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer.

Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.1Q trunk, including the native VLAN, are tagged. If the switch is configured to tag native VLAN packets on all IEEE 802.1Q trunks, the switch accepts untagged packets, but sends only tagged packets.

Ensure that the native VLAN ID on the edge switch trunk port is not within the customer VLAN range. For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number outside that range.

Figure 15-3 Potential Problem with IEEE 802.1Q Tunneling and Native VLANs

System MTU

The default system MTU for traffic on the Catalyst 3750 Metro switch is 1500 bytes. You can configure Fast Ethernet ports to support frames larger than 1500 bytes by using the system mtu global configuration command. You can configure Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command. Because the IEEE 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. The maximum allowable system MTU for Gigabit Ethernet interfaces is 9000 bytes; the maximum system MTU for Fast Ethernet interfaces is 1998 bytes.

IEEE 802.1Q Tunneling and Other Features

Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities with some Layer 2 features and with Layer 3 switching.

A tunnel port cannot be a routed port.

IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information. If routing is enabled on the switch virtual interface (SVI) that includes tunnel ports, untagged IP packets received from the tunnel port are recognized and routed by the switch. This allows the customer to access the Internet through its native VLAN. If this access is not required, you should not configure SVIs on VLANs that include tunnel ports.

Fallback bridging is not supported on tunnel ports. Because all IEEE 802.1Q-tagged packets received from a tunnel port are treated as non-IP packets, if fallback bridging is enabled on VLANs that have tunnel ports configured, IP packets would be improperly bridged across VLANs. Therefore, you must not enable fallback bridging on VLANs with tunnel ports.

Tunnel ports do not support IP access control lists (ACLs).

Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. MAC-based QoS ACLs are supported on tunnel ports.

EtherChannel port groups are compatible with tunnel ports as long as the IEEE 802.1Q configuration is consistent within an EtherChannel port group.

Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), and UniDirectional Link Detection (UDLD) are supported on IEEE 802.1Q tunnel ports.

Dynamic Trunking Protocol (DTP) is not compatible with IEEE 802.1Q tunneling because you must manually configure asymmetric links with tunnel ports and trunk ports.

VLAN Trunking Protocol (VTP) does not work between devices that are connected by an asymmetrical link or devices that communicate through a tunnel.

Loopback detection is supported on IEEE 802.1Q tunnel ports.

When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.

Configuring an IEEE 802.1Q Tunneling Port

Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode and the interface to be configured as a tunnel port. This should be the edge port in the service-provider network that connects to the customer switch. Valid interfaces include physical interfaces and port-channel logical interfaces (port channels 1 to 12).

Step 3 

switchport access vlan vlan-id

Specify the default VLAN, which is used if the interface stops trunking. This VLAN ID is specific to the particular customer.

Step 4 

switchport mode dot1q-tunnel

Set the interface as an IEEE 802.1Q tunnel port.

Step 5 

exit

Return to global configuration mode.

Step 6 

vlan dot1q tag native

(Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, if a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets might be sent to the wrong destination.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show dot1q-tunnel

Display the tunnel ports on the switch.

Step 9 

show vlan dot1q tag native

Display IEEE 802.1Q native VLAN tagging status.

Step 10 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no switchport mode dot1q-tunnel interface configuration command to return the port to the default state of dynamic auto. Use the no vlan dot1q tag native global configuration command to disable tagging of native VLAN packets.

This example shows how to configure a port as a tunnel port, enable tagging of native VLAN packets, and verify the configuration. In this configuration, the VLAN ID for the customer connected to Fast Ethernet port 7 is VLAN 22. 

Switch(config)# interface fastethernet1/0/7

Switch(config-if)# switchport access vlan 22

% Access VLAN does not exist. Creating vlan 22

Switch(config-if)# switchport mode dot1q-tunnel

Switch(config-if)# exit

Switch(config)# vlan dot1q tag native

Switch(config)# end

Switch# show dot1q-tunnel interface fastethernet1/0/7

Port

-----

Fa1/0/7

-----	

Switch# show vlan dot1q tag native

dot1q native vlan tagging is enabled

Configuring VLAN Mapping

VLAN mapping, or VLAN ID translation, is a feature that you can configure on the enhanced-services (ES) ports connected to the service-provider network to map the customer VLANs to service-provider VLANs. VLAN mapping acts as a filter on the ES ports without affecting the internal operation of the switch or the customer VLANs. A switch might also have a number of reserved VLANs or have a limited VLAN range. When customers want to use a VLAN number in the reserved range, you can use VLAN mapping to overlap customer VLANs by encapsulating the customer traffic in IEEE 802.1Q tunnels.

With VLAN mapping, the customer VLAN ID in the IEEE 802.1Q tag, or the inner and outer tag in an IEEE 802.1Q tunneled frame, are mapped (or translated) just before a packet is transmitted and just after a packet is received. The service-provider VLANs are not seen by the switch, so all configuration and statistics are done with the customer side-VLANs.

The switch supports three types of VLAN mapping:

One-to-one mapping that maps the customer VLAN ID in the IEEE 802.1Q tag to the service-provider VLAN ID.

Two-to-one mapping that maps IEEE 802.1Q tunneling traffic with outer and the inner VLAN IDs to the service-provider VLAN ID.

Two-to-two mapping that maps IEEE 802.1Q tunneling traffic with outer and the inner VLAN IDs to the service-provider outer and the inner VLAN IDs.

The customer-side IEEE 802.1Q VLAN IDs are used to switch the packet inside the switch. The service-provider VLAN IDs are sent or received on the ES ports.

To configure VLAN translation on a port channel of ES ports, enter the switchport vlan mapping interface configuration command on each of the ES ports. When configuring the translations at the ES ports, ensure that the VLAN translations are identical on both ES ports.

Note Do not configure VLAN mapping on an interface configured for MPLS or EoMPLS.

This section includes this configuration information:

Default VLAN Mapping Configuration

Mapping Customer VLANs to Service-Provider VLANs

Mapping Customer IEEE 802.1Q Tunnel VLANs to Service-Provider VLANs

Default VLAN Mapping Configuration

By default, no VLAN mapping is configured.

Mapping Customer VLANs to Service-Provider VLANs

Figure 15-4 shows a topology where a customer uses the same VLANs in multiple sites at different sides of a service-provider network. You map the customer VLAN IDs to service-provider VLAN IDs for packet travel across the service-provider backbone. The customer VLAN IDs are retrieved at the other side of the service-provider backbone for use in the other customer site. Configure the same set of VLAN mappings at an ES on each side of the service-provider network. See the example following the configuration steps.

Figure 15-4 Example of VLAN Mapping

Beginning in privileged EXEC mode, follow these steps on an ES port to map a customer VLAN ID to a service-provider VLAN ID:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode and the ES interface connected to the service-provider network.

Step 3 

switchport vlan mapping vlan-id translated-id

Enter the VLAN IDs to be mapped:

vlan-id—the customer VLAN ID entering the switch from the customer network. The range is from 1 to 4094.

translated-id—the assigned service-provider VLAN ID. The range is from 1 to 4094.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show vlan mapping

Verify the configuration.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no switchport vlan mapping vlan-id translated-id command to remove the VLAN translation information.

This example shows how to map VLAN IDs 1, 2, 3, 4, and 5 in the customer network to VLANs 2001, 2002, 2003, and 2004 in the service-provider network as shown in Figure 15-4. You configure these same VLAN mapping commands for an ES port in Switch A and Switch B. 

Switch(config)# interface gigabiethernet1/1/1

Switch(config-if)# switchport vlan mapping 1 1001

Switch(config-if)# switchport vlan mapping 2 1002

Switch(config-if)# switchport vlan mapping 3 1003

Switch(config-if)# switchport vlan mapping 4 1004

Switch(config-if)# switchport vlan mapping 5 1005

Switch(config-if)# exit

In the previous example, at the ingress of the service-provider network, VLAN IDs 1, 2, 3, 4, and 5 in the customer network are mapped to VLANs 2001, 2002, 2003, and 2004 in the service-provider network. At the egress of the service-provider network, VLANs 2001, 2002, 2003, and 2004 in the service-provider network are mapped to VLAN IDs 1, 2, 3, 4, and 5 in the customer network.

Mapping Customer IEEE 802.1Q Tunnel VLANs to Service-Provider VLANs

You can also use the switchport vlan mapping interface configuration command with the dot1qtunnel keyword to map IEEE 802.1Q traffic with a specified outer and inner VLAN IDs to specified outer and inner VLAN IDs in the service-provider network. You can use the drop keyword to specify that traffic on a specified outer VLAN ID is dropped unless the specified inner and outer VLAN ID combination is explicitly translated.

Beginning in privileged EXEC mode, follow these steps on an ES port to configure the switch to drop or translate IEEE 802.1Q tagged traffic:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode and the ES interface connected to the service-provider network.

Step 3 

switchport vlan mapping dot1q-tunnel outer-vlan-id {inner-vlan-id translated-vlan-id | drop}

Configure the VLAN mapping as a two-to-one mapping, and specify the action to be taken if the outer VLAN ID of the original IEEE 802.1Q packet matches the specified value:

outer-vlan-id—Enter the outer VLAN ID of the original IEEE 802.1Q packet. The VLAN ID range is from 1 to 4094.

inner-vlan-id translated-vlan-id—Enter the inner VLAN ID of the original IEEE 802.1Q packet and the translated VLAN ID for the service-provider network. The VLAN ID range is from 1 to 4094.

drop—Specify that traffic with the specified outer VLAN ID is dropped unless the inner VLAN ID is matched in the existing VLAN mappings.

Step 4 

switchport vlan mapping internal dot1q-tunnel internal-outer-vlan-id internal-inner-vlan-id external dot1q-tunnel external-outer-vlan-id external-inner-vlan-id

Configure the VLAN mapping as a two-to-two mapping, and specify the outer and inner VLAN IDs to be mapped:

internal-outer-vlan-id—Enter the outer VLAN ID of the original IEEE 802.1Q packet.

internal-inner-vlan-id—Enter the inner VLAN ID of the original IEEE 802.1Q packet.

external-outer-vlan-id—Enter the outer VLAN ID of the service-provider network.

external-inner-vlan-id—Enter the inner VLAN ID of the service-provider network.

The VLAN ID range is from 1 to 4094.

Note The inner VLAN ID of the service-provider network must match that of the original IEEE 802.1Q packet.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show vlan mapping

Verify the configuration.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no switchport vlan mapping dot1qtunnel outer-vlan-id {inner-vlan-id translated-vlan-id | drop} interface configuration command to remove the two-to-one mapping information. Use the switchport vlan mapping internal dot1q-tunnel internal-outer-vlan-id internal-inner-vlan-id external dot1q-tunnel external-outer-vlan-id external-inner-vlan-id interface configuration command to remove the two-to-two mapping information.

This example shows how to configure a two-to-one mapping on the ES port so that IEEE 802.1Q traffic with the outer VLAN ID 5 and the inner VLAN ID 6 would leave the switch with the single VLAN ID of 10. The IEEE 802.1Q traffic with the outer VLAN 5 and any inner VLAN ID other than 6 would be dropped. Other traffic on VLAN 5 would also be dropped: 

Switch(config)# interface gigabiethernet1/1/1

Switch(config-if)# switchport vlan mapping dot1q-tunnel 5 6 10

Switch(config-if)# switchport vlan mapping dot1q-tunnel 5 drop

Switch(config-if)# exit

This example shows how to configure a two-to-two mapping on the ES port so that IEEE 802.1Q traffic with the outer VLAN ID 5 and the inner VLAN ID 6 would leave the switch with the outer VLAN ID 15 and the inner VLAN ID 16: 

Switch(config)# interface gigabitethernet1/1/1

Switch(config-if)# switchport vlan mapping internal dot1q-tunnel 5 6 external dot1q tunnel 
15 6

Configuring IEEE 802.1ad

While QinQ is a Cisco-proprietary system to enable double-tagging to provide VLAN scalability in the provider network, IEEE 802.1ad uses standard protocols for VLAN scalability in provider networks. As with QinQ, data traffic entering from the customer interface is tagged with a service-provider tag. The customer frame crosses the provider network with two tags: the inner tag is the customer tag (C-tag). and the outer tag is the service-provider tag (S-tag). Control packets appear as data inside the provider network.

See this document for a description of IEEE 802.1ad support on Cisco provider bridges with commands:
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_cfm-ieee_802_1ad.html

The Catalyst 3750 Metro switch supports these IEEE 802.1ad features:

a switchport-based model

all-to-one bundling

service multiplexing (complex UNI)

In 802.1ad, a switchport is configured as either a customer user-network interface (C-UNI), a service-provider UNI (S-UNI), or a network-to-network interface (NNI). Only Layer 2 interfaces can be 802.1ad ports.

C-UNI—can be either an access port or an 802.1Q trunk port. The port uses the customer bridge addresses. To configure a C-UNI port, enter the ethernet dot1ad uni c-port interface configuration command. New keywords added to the switchport vlan mapping interface configuration command allow all-to-one or selective bundling capability for customer VLANs when the interface is configured as an 802.1ad trunk C-UNI port.

On a Catalyst 3750 Metro switch, you cannot configure an ES port as a C-UNI port.

S-UNI—an access port that provides the same service to all customer VLANs entering the interface, marking all C-VLANs entering the port with the same S-VLAN. In this mode, the customer's port is configured as a trunk port, and traffic entering the S-UNI is tagged. On S-UNIs, CDP and LLDP are disabled, and STP BPDU filtering and Port Fast are enabled. You can configure the port as an access port only; trunk configuration is not allowed.

CFM C-VLAN configuration is not allowed on an S-UNI.

You enter the ethernet dot1ad uni s-port interface configuration command to configure the port in dot1q-tunnel mode. You cannot configure an ES port as an S-UNI.

NNI—entering the ethernet dot1ad nni interface command on a trunk port creates 802.1ad EtherType (0x88a8) and uses S-bridge addresses for CPU-generated Layer 2 protocol PDUs. Only trunk ports can be NNIs. CFM C-VLAN configuration is not allowed on an NNI.

Note On a Catalyst 3750 Metro switch, you can configure 802.1ad NNIs only on ES ports. Non-ES ports can be configured as C-UNIs or S-UNIs.

See the command reference for more information on commands that support 802.1ad.

802.1ad Configuration Guidelines

An S-UNI must be an access port.

An NNI must be a trunk port.

A C-UNI can be either an access port or a trunk port.

On the Catalyst 3750 Metro switch, configure only ES ports as NNIs. Configure only non-ES ports as UNIs.

802.1ad is a port-based feature. There is no global command for enabling 802.1ad. By default, without 802.1ad, all switch ports are traditional 802.1Q ports.

When 802.1ad is enabled, the tunneling of customer data frames is done in software. If the incoming BPDU rate is high, there could be some impact on CPU utilization.

The switches do not support 802.1ad on EVCs or 802.1ad Layer 3 termination.

The switches do not support split horizon on 802.1ad interfaces.

You cannot enable Layer 2 protocol tunneling on 802.1ad interfaces. The features are mutually exclusive.

Catalyst 3750 Metro switches support a mixed configuration model for 802.1ad that allows traditional QinQ tunnels and 802.1ad tunnels on a bridge at the same time. When configuring a switch in mixed configuration mode, be sure to separate the broadcast domains for traditional 802.1Q tunneling and 802.1ad tunneling. To ensure functionality, do not configure 802.1ad NNI trunk ports and 802.1Q egress trunks with overlapping sets of allowed VLANs.

By default, customer UDLD packets are tunneled on 802.1ad S-UNI ports and are processed (peered) on C-UNI ports. End-to-end UDLD is not supported on 802.1ad C-UNI ports.

When configuring the service provider network for 802.1ad, be sure to configure 802.1ad NNIs on all interconnecting trunk ports. This is required for end-to-end functionality for customer Layer 2 PDUs in the service provider network.

Configuring 802.1ad on EtherChannels

When configuring 802.1ad on port channels, configure the EtherChannel group first, and then configure 802.1ad port configuration on the bundled port (port channel). When configured on the EtherChannel port channel, the 802.1ad configuration is applied to all ports in the port channel.

You cannot add a port to an EtherChannel if the port already has 802.1ad enabled.

Follow this configuration sequence when both CE and PE devices are actively participating in PAgP or LACP EtherChannels.

Configuration Example for 802.1ad End-to-End PAgP EtherChannels between CE Devices

See Figure 15-5. For end-to-end PAgP EtherChannel tunneling between CE devices, you should extend the CE connections through the service provider network as a point-to-point service when the PE device has no EtherChannels in on mode. See the software configuration guide section "Configuring Layer 2 Tunneling for EtherChannels" in the "Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling" chapter. The same procedure applies to 802.1ad tunnels.

Figure 15-5 802.1ad End-to-End PAgP EtherChannels

Configuration on Customer A1: 

 Switch #show etherchannel summary 

        Flags:  D - down        P - bundled in port-channel

        I - stand-alone s - suspended

        H - Hot-standby (LACP only)

        R - Layer3      S - Layer2

        U - in use      f - failed to allocate aggregator


        M - not in use, minimum links not met

        u - unsuitable for bundling

        w - waiting to be aggregated

        d - default port

        Number of channel-groups in use: 2

        Number of aggregators:           2

       Group  Port-channel  Protocol                         Ports

        ------+-------------+-----------+-----------------------------------------------

          23     Po23(SU)        PAgP (desirable)      Fa1/0/2(P)  Fa1/0/3(P)  Fa1/0/4(P)

Configuration on PE-1: 

Switch (config)# interface GigabitEthernet0/2

Switch (config-if)# switchport access vlan 4002

Switch (config-if)# ethernet dot1ad uni s-port


Switch (config)# interface GigabitEthernet0/2                          

Switch (config-if)# switchport access vlan 4002

Switch (config-if)# switchport mode trunk


Switch (config)# interface GigabitEthernet0/3

Switch (config-if)# switchport access vlan 4001 

Switch (config-if)# ethernet dot1ad uni s-port

Switch (config-if)# switchport trunk allowed vlan 4002

Switch (config-if)# switchport vlan mapping default dot1ad-bundle 

Switch (config-if)# Ethernet dot1ad uni c-port	


Switch (config)# interface GigabitEthernet0/4

Switch (config-if)# switchport access vlan 4003

Switch (config-if)# ethernet dot1ad uni s-port


Switch (config)# interface GigabitEthernet0/10

Switch (config-if)# switchport trunk allowed vlan 4001-4094

Switch (config-if)# switchport mode trunk

Switch (config-if)# media-type sfp

Switch (config-if)# ethernet dot1ad nni

Configuration on PE-3 

Switch (config)# interface GigabitEthernet1/1/1

Switch (config-if)# switchport trunk allowed vlan 4001-4094

Switch (config-if)# switchport mode trunk

Switch (config-if)# switchport trunk dot1q ethertype 88A8

Switch (config-if)# udld port aggressive

Switch (config-if)# ethernet dot1ad nni


Switch (config)# interface GigabitEthernet1/1/2

Switch (config-if)# switchport trunk allowed vlan 4001-4094

Switch (config-if)# switchport mode trunk

Switch (config-if)# switchport trunk dot1q ethertype 88A8

Switch (config-if)# udld port aggressive

Switch (config-if)# ethernet dot1ad nni

Configuration on PE-2 

Switch (config)# interface GigabitEthernet0/9

Switch (config-if)# switchport access vlan 4002

Switch (config-if)# ethernet dot1ad uni s-port


Switch (config)# interface GigabitEthernet0/10

Switch (config-if)# switchport access vlan 4001

Switch (config-if)# ethernet dot1ad uni s-port


Switch (config)# interface GigabitEthernet0/11

Switch (config-if)# switchport access vlan 4003

Switch (config-if)# ethernet dot1ad uni s-port


Switch (config)# interface GigabitEthernet0/13

Switch (config-if)# switchport trunk allowed vlan 4001-4094

Switch (config-if)# switchport mode trunk

Switch (config-if)# ethernet dot1ad nni

Configuration on Customer A3 

Switch (config)# interface Port-channel23

Switch (config-if)# switchport trunk encapsulation dot1q

Switch (config-if)# switchport mode trunk


Switch (config)# interface FastEthernet1/0/21

Switch (config-if)# switchport trunk encapsulation dot1q

Switch (config-if)# switchport mode trunk

Switch (config-if)# channel-protocol pagp

Switch (config-if)# channel-group 23 mode desirable


Switch (config)# interface FastEthernet1/0/22

Switch (config-if)# switchport trunk encapsulation dot1q

Switch (config-if)# switchport mode trunk

Switch (config-if)# channel-protocol pagp

Switch (config-if)# channel-group 23 mode desirable


Switch (config-if)# interface FastEthernet1/0/23

Switch (config-if)# switchport trunk encapsulation dot1q

Switch (config-if)# switchport mode trunk

Switch (config-if)# channel-protocol pagp

Switch (config-if)# channel-group 23 mode desirable

Configuration with 802.1ad C-UNI port on PE-2 and PE-3 

Switch (config)# interface GigabitEthernet0/2                          

Switch (config-if)# switchport access vlan 4002

Switch (config-if)# switchport mode trunk

Switch (config-if)# switchport trunk allowed vlan 4002

Switch (config-if)# switchport vlan mapping default dot1ad-bundle 4002

Switch (config-if)# Ethernet dot1ad uni c-port	


Switch (config)# interface GigabitEthernet0/3                          

Switch (config-if)# switchport access vlan 4001

Switch (config-if)# switchport mode trunk

Switch (config-if)# switchport trunk allowed vlan 4001

Switch (config-if)# switchport vlan mapping default dot1ad-bundle 4001

Switch (config-if)# Ethernet dot1ad uni c-port	


Switch (config)# interface GigabitEthernet0/4                          

Switch (config-if)# switchport access vlan 4003

Switch (config-if)# switchport mode trunk

Switch (config-if)# switchport trunk allowed vlan 4003

Switch (config-if)# switchport vlan mapping default dot1ad-bundle 4003

Switch (config-if)# Ethernet dot1ad uni c-port

The configuration on other switches remains the same in the 802.1ad C-UNI scenario.

Understanding Layer 2 Protocol Tunneling

Customers at different sites connected across a service-provider network need to run various Layer 2 protocols to scale their topology to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider infrastructure. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. Link Layer Discovery Protocol (LLDP) advertises information about all devices, including non-Cisco devices, in the network. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.

When protocol tunneling is enabled, edge switches on the inbound side of the service-provider infrastructure encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider network. Core switches in the network do not process these packets but forward them as normal packets. Layer 2 protocol data units (PDUs) for CDP, LLDP, STP, or VTP cross the service-provider infrastructure and are delivered to customer switches on the outbound side of the service-provider network. Identical packets are received by all customer ports on the same VLANs with these results:

Users on each of a customer's sites are able to properly run STP, and every VLAN can build a correct spanning tree based on parameters from all sites and not just from the local site.

CDP discovers and shows information about the other Cisco devices connected through the service-provider network.

LLDP discovers and shows information about the other devices, including non-Cisco devices, connected through the service-provider network.

VTP provides consistent VLAN configuration throughout the customer network, propagating through the service provider to all switches.

Note To provide interoperability with third-party vendors, you can use the Layer 2 protocol-tunnel bypass feature. Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling. You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk port. When Layer 2 protocol tunneling is enabled on the trunk port, the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address.

Layer 2 protocol tunneling can be used independently or can enhance IEEE 802.1Q tunneling. If protocol tunneling is not enabled on IEEE 802.1Q tunneling ports, remote switches at the receiving end of the service-provider network do not receive the PDUs and cannot properly run STP, CDP, and VTP. When protocol tunneling is enabled, Layer 2 protocols within each customer's network are totally separate from those running within the service-provider network. Customer switches on different sites that send traffic through the service-provider network with IEEE 802.1Q tunneling achieve complete knowledge of the customer's VLAN. If IEEE 802.1Q tunneling is not used, you can still enable Layer 2 protocol tunneling by connecting to the customer switch through access ports or trunk ports and enabling tunneling on the service-provider access or trunk port.

For example, in Figure 15-6, Customer X has four switches in the same VLAN that are connected through the service-provider network. If the network does not tunnel PDUs, switches on the far ends of the network cannot properly run STP, CDP, and VTP. For example, STP for a VLAN on a switch in Customer X's Site 1 will build a spanning tree on the switches at that site without considering convergence parameters based on Customer X's switch in Site 2. This could result in the topology shown in Figure 15-7.

Figure 15-6 Layer 2 Protocol Tunneling

Figure 15-7 Virtual Network Topology without BPDU Tunneling

In a service-provider network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. When you enable protocol tunneling (PAgP or LACP) on the service-provider switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels.

For example, in Figure 15-8, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the "Configuring Layer 2 Tunneling for EtherChannels" section for instructions on configuring Layer 2 protocol tunneling for EtherChannels.

Figure 15-8 Layer 2 Protocol Tunneling for EtherChannels

Configuring Layer 2 Protocol Tunneling

You enable Layer 2 protocol tunneling (by protocol) on the ports that are connected to the customer in the edge switches of the service-provider network. Edge-switch tunnel ports are connected to customer IEEE 802.1Q trunk ports; edge-switch access ports are connected to customer access ports. The edge switches connected to the customer switch perform the tunneling process.

You can enable Layer 2 protocol tunneling on ports that are configured as access ports, tunnel ports, or trunk ports. You cannot enable Layer 2 protocol tunneling on ports configured in either switchport mode dynamic auto (the default mode) or switchport mode dynamic desirable. The switch supports Layer 2 protocol tunneling for CDP, LLDP, STP, and VTP. For emulated point-to-point network topologies, it also supports PAgP, LACP, and UDLD protocols.

Caution PAgP, LACP, and UDLD protocol tunneling is only intended to emulate a point-to-point topology. An erroneous configuration that sends tunneled packets to many ports could lead to a network failure.

When the Layer 2 PDUs that entered the inbound edge switch through a Layer 2 protocol-enabled port exit the switch through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag and the inner tag is the customer VLAN tag. The core switches ignore the inner tags and forward the packet to all trunk ports in the same metro VLAN. The edge switches on the outbound side restore the proper Layer 2 protocol and MAC address information and forward the packets to all tunnel ports, access ports, and Layer 2 protocol-enabled trunk ports in the same metro VLAN. Therefore, the Layer 2 PDUs are kept intact and delivered across the service-provider infrastructure to the other side of the customer network.

See Figure 15-6, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address. These double-tagged packets have the outer VLAN tag of 40 as well as an inner VLAN tag (for example, VLAN 100). When the double-tagged packets reach Switch D, the outer VLAN tag 40 is removed, the well-known MAC address is replaced with the respective Layer 2 protocol MAC address, and the packet is sent to Customer Y on Site 2 as a single-tagged frame in VLAN 100.

You can also enable Layer 2 protocol tunneling on access or trunk ports on the edge switch connected to access or trunk ports on the customer switch. In this case, the encapsulation and de-encapsulation behavior is the same as described in the previous paragraph, except that the packets are not double-tagged in the service-provider network. The single tag is the customer-specific access VLAN tag.

This section contains this information about configuring Layer 2 protocol tunneling:

Default Layer 2 Protocol Tunneling Configuration

Layer 2 Protocol Tunneling Configuration Guidelines

Configuring Layer 2 Tunneling

Configuring Layer 2 Tunneling for EtherChannels

Default Layer 2 Protocol Tunneling Configuration

Table 15-1 shows the default Layer 2 protocol tunneling configuration.

Table 15-1 Default Layer 2 Ethernet Interface VLAN Configuration 

Feature
Default Setting

Layer 2 protocol tunneling

Disabled for CDP, LLDP, STP, and VTP.

Shutdown threshold

No threshold for packets-per-second of Layer 2 PDUs per port for the port to shut down.

Drop threshold

No threshold for packets-per-second of Layer 2 PDUs per port for the port to drop the PDUs.

Class of service (CoS) value

If a CoS value is configured on the interface, that value is used to set the BPDU CoS value for Layer 2 protocol tunneling. If no CoS value is configured at the interface level, the default value for CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic.


Layer 2 Protocol Tunneling Configuration Guidelines

The switch supports tunneling of CDP, LLDP, STP including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports, access ports. or trunk ports.

The switch supports PAgP, LACP, and UDLD tunneling for emulated point-to-point network topologies. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports, access ports. or trunk ports.

The switch does not support Layer 2 protocol tunneling on ports with switchport mode dynamic auto or dynamic desirable.

If you enable PAgP or LACP tunneling, we recommend that you also enable UDLD on the interface for faster link-failure detection.

Loopback detection is not supported on Layer 2 protocol tunneling of PAgP, LACP, or UDLD packets.

Dynamic Trunking Protocol (DTP) is not compatible with Layer 2 protocol tunneling because you must manually configure asymmetric links with tunnel ports and trunk ports.

The edge switches on the outbound side restore the proper Layer 2 protocol and MAC address information and forward the packets to all tunnel ports, access ports and Layer 2 protocol-enabled trunk ports in the same metro VLAN.

For interoperability with third-party vendor switches, the switch supports a Layer 2 protocol-tunnel bypass feature. Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling.When Layer 2 protocol tunneling is enabled on ingress ports on a switch, egress trunk ports forward the tunneled packets with a special encapsulation. If you also enable Layer 2 protocol tunneling on the egress trunk port, this behavior is bypassed and the switch forwards control PDUs without any processing or modification.

EtherChannel port groups are compatible with tunnel ports as long as the IEEE 802.1Q configuration is consistent within an EtherChannel port group.

If an encapsulated PDU (with the proprietary destination MAC address) is received from a tunnel port or access or trunk port with Layer 2 tunneling enabled, the port is shut down to prevent loops. The port also shuts down when a configured shutdown threshold for the protocol is reached. You can manually re-enable the port (by entering a shutdown and no shutdown command sequence) or if errdisable recovery is enabled, the operation is retried after a specified time interval.

Only decapsulated PDUs are forwarded to the customer network. The spanning-tree instance running on the service-provider network does not forward BPDUs to tunnel ports. No CDP packets are forwarded from tunnel ports.

When protocol tunneling is enabled on an interface, you can set a per-protocol, per-port, shutdown threshold for the PDUs generated by the customer network. If the limit is exceeded, the port shuts down. You can also rate-limit BPDUs by using QoS ACLs and policy maps on a tunnel port.

When protocol tunneling is enabled on an interface, you can set a per-protocol, per-port, drop threshold for the PDUs generated by the customer network. If the limit is exceeded, the port drops PDUs until the rate at which the port receives them is below the drop threshold.

Because tunneled PDUs (especially STP BPDUs) must be delivered to all remote sites for the customer virtual network to operate properly, you can give PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets.

Protocol tunneling for LLDP is supported beginning with Cisco IOS Release 12.2(58)SE.

Configuring Layer 2 Tunneling

Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter the interface configuration mode and the interface to be configured as a tunnel port. This should be the edge port in the service-provider network that connects to the customer switch. Valid interfaces include physical interfaces and port-channel logical interfaces (port channels 1 to 12).

Step 3 

switchport mode access
or
switchport mode dot1q-tunnel

or
switchport mode trunk

Configure the interface as an access port, an IEEE 802.1Q tunnel port or a trunk port.

Step 4 

l2protocol-tunnel [cdp | lldp | stp | vtp]

Enable protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three Layer 2 protocols.

Step 5 

l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] value

(Optional) Configure the threshold in packets per second to be received for encapsulation before the interface shuts down. The port is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold is applied to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note If you also set a drop threshold on this interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

Step 6 

l2protocol-tunnel drop-threshold [cdp | lldp | stp | vtp] value

(Optional) Configure the threshold in packets per second to be received for encapsulation before the interface drops packets. The port drops packets if the configured threshold is exceeded. If no protocol option is specified, the threshold is applied to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note If you also set a shutdown threshold on this interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.

Step 7 

exit

Return to global configuration mode.

Step 8 

errdisable recovery cause l2ptguard

(Optional) Configure the recovery mechanism from a Layer 2 maximum rate error so that the interface can be brought out of the disabled state and allowed to try again. You can also set the time interval. Errdisable recovery is disabled by default; when enabled, the default time interval is 300 seconds.

Step 9 

l2protocol-tunnel cos value

(Optional) Configure the CoS value for all tunneled Layer 2 PDUs. The range is 0 to 7; the default is the default CoS value for the interface. If none is configured, the default is 5.

Step 10 

end

Return to privileged EXEC mode.

Step 11 

show l2protocol

Display the Layer 2 tunnel ports on the switch, including the protocols configured, the threshold, and the counters.

Step 12 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no l2protocol-tunnel [cdp | lldp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three of them. Use the no l2protocol-tunnel shutdown-threshold [cdp | lldp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | lldp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.

This example shows how to configure Layer 2 protocol tunneling for CDP, STP, and VTP and to verify the configuration. 

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# l2protocol-tunnel cdp

Switch(config-if)# l2protocol-tunnel stp

Switch(config-if)# l2protocol-tunnel vtp

Switch(config-if)# l2protocol-tunnel shutdown-threshold 1500

Switch(config-if)# l2protocol-tunnel drop-threshold 1000

Switch(config-if)# exit

Switch(config)# l2protocol-tunnel cos 7

Switch(config)# end

Switch# show l2protocol

COS for Encapsulated Packets: 7


Port    Protocol Shutdown  Drop      Encapsulation Decapsulation Drop

                 Threshold Threshold Counter       Counter       Counter

------- -------- --------- --------- ------------- ------------- -------------

Gi1/0/2 cdp           1500      1000             0             0             0

        stp           1500      1000             0             0             0

        vtp           1500      1000             0             0             0

Configuring Layer 2 Tunneling for EtherChannels

To configure Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels, you need to configure both the service-provider edge switch and the customer switch.

Configuring the Service-Provider Edge Switch

Beginning in privileged EXEC mode, follow these steps to configure a service-provider edge switch for Layer 2 protocol tunneling for EtherChannels:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the interface to be configured as a tunnel port. This should be the edge port in the service-provider network that connects to the customer switch. Valid interfaces are physical interfaces.

Step 3 

switchport mode dot1q-tunnel

Configure the interface as an IEEE 802.1Q tunnel port.

Step 4 

l2protocol-tunnel point-to-point [pagp | lacp | udld]

Enable point-to-point protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three protocols.

Caution To avoid a network failure, make sure that the network is a point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets.

Step 5 

l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value

(Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note If you also set a drop threshold on this interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

Step 6 

l2protocol-tunnel drop-threshold [point-to-point [pagp | lacp | udld]] value

(Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface drops packets if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. The default is to have no threshold configured.

Note If you also set a shutdown threshold on this interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.

Step 7 

no cdp enable

Disable CDP on the interface.

Step 8 

spanning-tree bpdufilter enable

Enable BPDU filtering on the interface.

Step 9 

exit

Return to global configuration mode.

Step 10 

errdisable recovery cause l2ptguard

(Optional) Configure the recovery mechanism from a Layer 2 maximum-rate error so that the interface is re-enabled and can try again. Errdisable recovery is disabled by default; when enabled, the default time interval is 300 seconds.

Step 11 

l2protocol-tunnel cos value

(Optional) Configure the CoS value for all tunneled Layer 2 PDUs. The range is 0 to 7; the default is the default CoS value for the interface. If none is configured, the default is 5.

Step 12 

end

Return to privileged EXEC mode.

Step 13 

show l2protocol

Display the Layer 2 tunnel ports on the switch, including the protocols configured, the thresholds, and the counters.

Step 14 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no l2protocol-tunnel [point-to-point [pagp | lacp | udld]] interface configuration command to disable point-to-point protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings.

Configuring the Customer Switch

After configuring the service-provider edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter the interface configuration mode. This should be the customer switch port.

Step 3 

switchport trunk encapsulation dot1q

Set the trunking encapsulation format to IEEE 802.1Q.

Note Beginning with Cisco IOS Release 12.2(22)EY, this step is not required on ES ports. Because ES ports support only IEEE 802.1Q trunking, the encapsulation keyword is not visible.

Step 4 

switchport mode trunk

Enable trunking on the interface.

Step 5 

udld enable

Enable UDLD in normal mode on the interface.

Step 6 

channel-group channel-group-number mode desirable

Assign the interface to a channel group, and specify desirable for the PAgP mode. For more information about configuring EtherChannels, see Chapter 35, "Configuring EtherChannels and Link-State Tracking."

Step 7 

exit

Return to global configuration mode.

Step 8 

interface port-channel port-channel number

Enter port-channel interface mode.

Step 9 

shutdown

Shut down the interface.

Step 10 

no shutdown

Enable the interface.

Step 11 

end

Return to privileged EXEC mode.

Step 12 

show l2protocol

Display the Layer2 tunnel ports on the switch, including the protocols configured, the thresholds, and the counters.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no switchport mode trunk, the no udld enable, and the no channel group channel-group-number mode desirable interface configuration commands to return the interface to the default settings.

For EtherChannels, you need to configure both the service-provider edge switches and the customer switches for Layer 2 protocol tunneling.

This example shows how to configure the service provider edge Switch A and edge Switch B in the example in Figure 15-8. VLANs 17, 18, 19, and 20 are the access VLANs, Fast Ethernet ports 1 and 2 are point-to-point tunnel ports with PAgP and UDLD enabled, the drop threshold is 1000, and Fast Ethernet port 3 is a trunk port.

Service-provider edge Switch A configuration: 

Switch(config)# interface fastethernet1/0/1

Switch(config-if)# switchport access vlan 17

Switch(config-if)# switchport mode dot1q-tunnel

Switch(config-if)# l2protocol-tunnel point-to-point pagp

Switch(config-if)# l2protocol-tunnel point-to-point udld

Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/2

Switch(config-if)# switchport access vlan 18

Switch(config-if)# switchport mode dot1q-tunnel

Switch(config-if)# l2protocol-tunnel point-to-point pagp

Switch(config-if)# l2protocol-tunnel point-to-point udld

Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/3

Switch(config-if)# switchport trunk encapsulation isl

Switch(config-if)# switchport mode trunk

Service-provider edge Switch B configuration: 

Switch(config)# interface fastethernet1/0/1

Switch(config-if)# switchport access vlan 19

Switch(config-if)# switchport mode dot1q-tunnel

Switch(config-if)# l2protocol-tunnel point-to-point pagp

Switch(config-if)# l2protocol-tunnel point-to-point udld

Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/2

Switch(config-if)# switchport access vlan 20

Switch(config-if)# switchport mode dot1q-tunnel

Switch(config-if)# l2protocol-tunnel point-to-point pagp

Switch(config-if)# l2protocol-tunnel point-to-point udld

Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/3

Switch(config-if)# switchport trunk encapsulation isl

Switch(config-if)# switchport mode trunk

This example shows how to configure the customer switch at Site 1. Fast Ethernet ports 1, 2, 3, and 4 are set for IEEE 802.1Q trunking, UDLD is enabled, EtherChannel group 1 is enabled, and the port channel is shut down and then enabled to activate the EtherChannel configuration. 

Switch(config)# interface fastethernet1/0/1

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# udld enable

Switch(config-if)# channel-group 1 mode desirable

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/2

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# udld enable

Switch(config-if)# channel-group 1 mode desirable

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/3

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# udld enable

Switch(config-if)# channel-group 1 mode desirable

Switch(config-if)# exit

Switch(config)# interface fastethernet1/0/4

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# udld enable

Switch(config-if)# channel-group 1 mode desirable

Switch(config-if)# exit

Switch(config)# interface port-channel 1

Switch(config-if)# shutdown

Switch(config-if)# no shutdown

Switch(config-if)# exit

Monitoring and Maintaining Tunneling and Mapping Status

Table 15-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling and VLAN mapping.

Table 15-2 Commands for Monitoring and Maintaining Tunneling and VLAN Mapping 

Command
Purpose

clear l2protocol-tunnel counters

Clear the protocol counters on Layer 2 protocol tunneling ports.

show dot1q-tunnel

Display IEEE 802.1Q tunnel ports on the switch.

show dot1q-tunnel interface interface-id

Verify if a specific interface is a tunnel port.

show l2protocol-tunnel

Display information about Layer 2 protocol tunneling ports.

show errdisable recovery

Verify if the recovery timer from a Layer 2 protocol-tunnel error disable state is enabled.

show interface interface-id vlan mapping

Display VLAN mapping information for the specified interface. The interface can be an ES port or a VLAN.

show l2protocol-tunnel interface interface-id

Display information about a specific Layer 2 protocol tunneling port.

show l2protocol-tunnel summary

Display only Layer 2 protocol summary information.

show vlan dot1q native

Display the status of native VLAN tagging on the switch.

show vlan mapping

Display VLAN mapping information (contents of the VLAN mapping table) for the ES ports.


For detailed information about these displays, see the command reference for this release.