Section 3.4: Service Provider Tunneling

When a campus network is physically detached Layer 2 connectivity must be acquired from a service provider who can supply a VLAN between more than one location through Metro Ethernet. Connecting a single trunk link to a service provider's network to transport many VLANS is better than many single-VLAN links. An IEEE 802.1Q trunk makes it possible for one or more VLANs to be transported over a single physical connection, as well as enabling the transportation of a whole trunk over a third-party network. Instead of using IEEE 802.1Q trunks to tunnel across a service provider's network, Label Switching (MPLS) can be used.

3.4.1: IEEE 802.1Q Tunnels

An IEEE 802.1Q trunk port that is located at the edge of a campus network connects to a service provider's IEEE 802.1Q tunnel port. Each active VLAN on the trunk, tunnels in and over the service provider's central network and ends at a customer remote location or tunnel endpoint. With a 802.1Q tunnel, a second layer of VLAN tagging is added to each frame on a trunk, and the whole trunk is encapsulated into a new trunk. A second outer 4-byte tag is added to each frame. The end result is that a customer's trunk link is tagged by means of a VLAN ID that matches the identity of the customer. The VLAN ID switches the frames to the applicable remote tunnel endpoint location. The Layer 3 addresses of the original frame are unobtainable in the tunnel and cannot be looked at after tunneling, because of the double layer encapsulation that takes place. This process is also known as a Q-in-Q tunnel or a nested IEEE 802.1Q trunk.

The following commands are used to configure a 802.1Q tunnel:

Switch(config)# interface type mod/num Switch(config-if)# switchport access vlan vlan-id Switch(config-if)# switchport mode dotlqtunnel Switch(config-if)# exit Switch(config)# vlan dot1q tag native

• switchport access vlan identifies the VLAN ID for the customer that is connected to the physical interface.

• switchport mode dot1qtunnel sets the switch port into tunnel mode.

• vlan dot1q tag native compels the service provider's edge switch to use tags on all native VLAN frames. Native VLAN frames that are set off within a service provider's core network are instinctively tagged. Ingress frames that are not tagged on customer trunks are abandoned.

3.4.2: Layer 2 Protocol Tunnels

When a switch converses with another switch, it uses protocols like Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP) and LAN Trunking Protocol (VTP). Frames, also known as Layer 2 control protocol data units (PDUs), who carry switch data, cannot be correctly managed in a tunnel. These protocols are not pressed forward across a tunnel.

Control PDUs are transmitted over VLAN 1 on a trunk. At a service provider's 802.1Q tunnel port, instead of being tunnelled, they are read by the edge switch. Cisco Discovery Protocol is read by the edge switch while VLAN Trunking Protocol and Spanning Tree Protocol are not. VTP and STP are not relevant to the service provider's internal network.

Layer 2 Protocol Tunnel that carries out Generic Bridge PDU Tunneling (GBPT) is used to handle these PDUs. These frames are now updated with a GBPT destination MAC address of 0100.0ccd.cdd0, when they are received at the service provider's edge network. Once encapsulated, they are sent across the tunnel and are seen as though they arrived from the native VLAN on the customer's trunk.

The following commands are used to configure Layer 2 Protocol Tunneling:

Switch(config)# interface type mod/port

Switch(config-if)# l2protocol-tunnel [cdp | stp | vtp]

Switch(config-if)# l2protocol-tunnel drop-threshold pps [cdp | stp | vtp]

Switch(config-if)# l2protocol-tunnel shutdown-threshold pps [cdp | stp | vtp]

• i2protocoi-tunnei is used when tunneling all protocols, or you can specify which CDP, STP, and VTP protocols to tunnel.

• drop-threshold keyword is used to only tunnel PPS control frames (1 - 4096) in a 1 second period. Once the ceiling is attained, all other control frames are dropped until that second has passed.

• shutdown-threshold keyword is used to shut the tunnel port down as soon as more than PPS (1 -4096) control frames are received in a 1 second period.

3.4.3: Ethernet Over Multiprotocol Label Switching (MPLS) Tunneling

MPLS can be used to forward packets over a large network. If a service provider has a MPLS core network, Ethernet over MPLS (EoMPLS) can be used when tunneling customer traffic. EoMPLS tunneling has to be utilized accomplish Layer 2 tunneling over an MPLS network.

Routers located at the edge of a service provider's core network act as edge label switch routers (LSRs). The edge network reads packets that correspond with a certain condition for customer and allocates a MPLS tag. LSRs in the MPLS method checks the MPLS labels while making forwarding choices.

By using Cisco Tag Distribution Protocol (TDP) or the Label Distribution Protocol (LDP), LSRs exchange information pertaining to label information and the manner in which to route a packet. The initial Layer 2 frame is encapsulated as an MPLS frame, and is given a new Layer 2 source and destination address that matches to the current and next-hop routers correspondingly. A MPLS label is added below these addresses and any prior labels are simply pressed down and stacked. A MPLS router checks the first label while deciding on forwarding methods for the packet. All the labels form a stack and the initial Layer 3 packet is inserted into the frame after the last label. The packet is then sent over the MPLS network. The edge router removes the last label from the frame and forwards the unencapsulated packet. The Layer 3 packet is therefore always reserved inside the encapsulation.

EoMPLS uses the MPLS label stack to distinguish the customer and single out the customer's VLAN ID. EoMPLS tunnels frames between locations transparently at Layer 2. Unlike MPLS, EoMPLS keeps the entire initial Layer 2 frame with the initial source and destination addresses. In order to effectively use an EoMPLs tunnel, EoMPLS needs to be configured only on those edge routers that interface with a customer's network. A faultless MPLS network has to exist inside a service provider's central network as well.