Layer 2 protocol tunneling in real world
août 16th, 2008
When a networking geek find a new feature, he’d love to implement it on his network perimeter (Perhaps Benmoon will read my article).
But, sometimes, the super feature is not applicable on all sort of production networks.
That’s the case for the L2PT (Layer 2 protocol tunneling) feature which is especially useful for VPLS (aka virtual lan services based on Ethernet) service provider customers. Cisco doc is not very clear and poor about the usage of L2PT feature but CCIE hackers use it. The feature’s goal is to widen the layer 2 network of multiple geographic remote sites over WAN. I’ll try to add another dimension in the understanding of this feature.
First thing to know: when you hear L2TP you must think “big switch” or “big trunk” in Cisco terminology.
Second thing to know: L2TP do Spanning-tree, CDP and Vlans tunnels (+Pagp,lacp,udld).
Third thing to know: It do nothing except giving the possibility to extend the Layer 2 domain size.
Why do I need a big switch ?
Increasing Layer 2 domain size between Paris, London and Sidney :
- Single bridge domain (one VLAN)
- Single subnet
- Single SLA
- MAC address learning and forwarding
To do this working over a WAN, L2PT is mandatory.
Guys, I have a Wacom tablet so I’ll definitely try to use it for this article. Like I used to say to my students, it’s best effort drawing 
L2PT big picture over a MPLS/VPLS backbone :
A switch as a CE (Customer Edge) ?
It’s not because it’s a Layer 2 stuff that a switch is absolutely required. You can have a switch and/or a router aka a stuff who can do 802.1Q tunneling.
Who configure the L2PT in IOS ?
L2PT will be configured on the ISP equipments (commands borrowed from packetlife). These lines need to be typed on the backbone routers where CDP,STP and VLANs frames will flow until reaching another customer’s site.
interface GigabitEthernet0/1
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
Limitations of L2PT
Don’t forget the MAC address limits, VLAN numbers limit which will require PBT (Provider Bridging Transport) or H-VPLS (Hierarchical VPLS) in order to work and break L2PT. Also, in the good to know part, please keep in mind that a virtual switch will operate like a conventional switch considering flooding/forwarding, MAC learning/aging, loop prevention in Unicast, Broadcast and Multicast environments, so always keep an open eye on your layer 2 perimeters (not the part owned by the ISP).
L2TP should only be used with small customer implementations.
And security ?
One thing is sure.. these technologies open massive leaking holes on the network security field. I will name the use of redundant multihoming connections (Local traffic may be tunneled to the service provider backbone) and misfit in Vlans number: Imagine Vlan10 in the Sidney site is the wifi hotspot vlan and Vlan10 in Paris is the database’s customers one.
Entry Filed under: ios
