Customers at different
sites connected across a service-provider network need to run various Layer 2
protocols to scale their topology to include all remote sites, as well as the
local sites. The Spanning Tree Protocol (STP) must run properly, and every VLAN
should build a proper spanning tree that includes the local site and all remote
sites across the service-provider infrastructure. Cisco Discovery Protocol
(CDP) must be able to discover neighboring Cisco devices from local and remote
sites, and the VLAN Trunking Protocol (VTP) must provide consistent VLAN
configuration throughout all sites in the customer network.
Starting with Cisco NX-OS Release 7.0(3)I7(3) you can configure the switch to allow multi-tagged BPDUs on a tunnel port. If you enable l2 protocol tunnel allow-double-tag, when a multi-tagged customer BPDU enters the tunnel port, the original 802.1Q tags from the customer traffic is preserved and an outer VLAN tag (customer’s access VLAN ID, as assigned by the service-provider) is added in the encapsulated packet. Therefore, BDPU packets that enter the service-provider infrastructure are multi tagged. When the BDPUs leave the service-provider network , the outer tag is removed and the original multi-tagged BDPU is sent to the customer network.
tunneling is enabled, edge switches on the inbound side of the service-provider
infrastructure encapsulate Layer 2 protocol packets with a special MAC address
and send them across the service-provider network. Core switches in the network
do not process these packets, but forward them as normal packets. Bridge
protocol data units (BPDUs) for CDP, STP, or VTP cross the service-provider
infrastructure and are delivered to customer switches on the outbound side of
the service-provider network. Identical packets are received by all customer
ports on the same VLANs.
If protocol tunneling
is not enabled on 802.1Q tunneling ports, remote switches at the receiving end
of the service-provider network do not receive the BPDUs and cannot properly
run STP, CDP, 802.1X, and VTP. When protocol tunneling is enabled, Layer 2
protocols within each customer’s network are totally separate from those
running within the service-provider network. Customer switches on different
sites that send traffic through the service-provider network with 802.1Q
tunneling achieve complete knowledge of the customer’s VLAN.
Layer 2 protocol
tunneling works by tunneling BPDUs in the software. A large number of BPDUs
that comes into the supervisor module cause the CPU load to go up. The load It
is controlled by Control Plane Policing CoPP configured for packets marked as
For example, the
following figure shows Customer X has four switches in the same VLAN that are
connected through the service-provider network. If the network does not tunnel
BPDUs, the switches on the far ends of the network cannot properly run the STP,
CDP, 802.1X, and VTP protocols.
Figure 4. Layer 2 Protocol
In the preceding
example, STP for a VLAN on a switch in Customer X, Site 1 will build a spanning
tree on the switches at that site without considering convergence parameters
based on Customer X’s switch in Site 2.
The following figure
shows the resulting topology on the customer’s network when BPDU tunneling is
Figure 5. Virtual Network
Topology Without BPDU Tunneling