VPLS Implementation - Need some inputs

Unanswered Question
Sep 8th, 2010
User Badges:

Hi All,

We are planning to roll out VPLS services in our network and I need advice from people who have deployed VPLS in their network.

In the real scenario customers may also come over wireless last mile and terminate on our MetroE network. From MetroE network it extends till our POP. No hierarchial VPLS as there is a hardware limitation in 7604.

If customer wants to tunnel layer 2 protocols i.e. CDP, VTP and STP over VPLS, is it advisable to do? Our MetroE network has its own VTP and STP and if I extend the customers VTP, CDP and STP over MetroE, what will happen to the customer layer 2 protocol packets in MetroE cloud. I may miss something very basic here .

Are my below understanding correct?

1. VTP packets will be dropped by MetroE as there is a domain/password mismatch. (provided VTP domain and password are not leaked to Customer). VTP packets get tunneled over VPLS and reaches the other site.

2. STP packets will get tunneled over VPLS and reaches the other site.

3. What will happen to CDP packets?

Also what are the things that need to be planned before rolling out the services. Any input is much appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
narainarun Wed, 09/08/2010 - 23:49
User Badges:


Thanks for your response. L2 Protocol tunneling will happen on PE routers. But in my scenario the customer switches do not directly terminate on the PE router interface/sub-interfaces.

Customer VLAN's are carried over our existing MetroE switches which run its own STP and VTP. MetroE switches connect to PE routers. So my query is what will happen to the customer VTP/STP/CDP packets when it is received by our MetroE switches in both ingress and egress points?

Consider VTP. VTP messages are sent with Destination MAC as 0100.0ccc.cccc in 802.1Q frames. In this case if customer switch with VLAN 100 sends a VTP message to other site, it has to traverse our MetroE network switches, then reaches to Ingress PE and then it reaches the remote site.

So what will happen to the VTP packets sent by the customer switch in our MetroE network?



rbevaart Mon, 09/13/2010 - 03:23
User Badges:

Your network is either transparant at Layer-2, or it is not. If you're offering VPLS I'd say you want your network to be completely transparent. That either means that you handle all traffic and tunnel/bridge it across your network, or you don't and you drop certain traffic at the edge. If you're aiming for a scenario where the customer can actually interact with your VTP/STP setup my guess is you're heading for trouble.

chintan-shah Mon, 09/13/2010 - 03:33
User Badges:

You can tunnle all layer 2 protocols from customer on your edge MetroE switches so that you just provide layer 2 transport to customer across his sites.

If you just take participate in customer VLAN and layer 2 domain , you will be in trouble.

if your edge switch is real MetroE switch , it should support layer 2 tunneling protocol so that you can configure dot1q tunneling and l2tp to avoid any issue in your network and be transperant for customer.


narainarun Tue, 09/14/2010 - 22:32
User Badges:


Thanks for your replies and it provided very useful information. I had no other choice but to use Layer 2 tunneling protocol for CDP,VTP and STP.

But just curious say if i dont provide these services to customers (carrying CDP,VTP and STP) and I provide only virtual switch for customers in multipoint to multipoint fashion, then

a. how can I drop these packets (Layer2 protocol packets) when entering into my MetroE switches. Is there any CLI available to do it? The reason is i need to evaluate all these alternatives before finalising the produt to customers.

b. If i dont drop these L2 packets, then obviously my MetroE switches participate in those protocols which obviously I dont want to happen.



cbeswick Tue, 11/23/2010 - 07:15
User Badges:


I'm no expert when it comes to metro ethernet or M/VPLS, but in a LAN environment we protect our network by disabling the protocol at the edge, or implementing mechanisms that detect and drop the various L2 control packets. For example, "no cdp enable" on the switch port will prevent CDP exchange, you could use bpdu guard, or bpdu filter to prevent BPDU exchange, or disable spanning tree for the Vlan that is native to the link (if an access port). With VTP you can secure your domain with an MD5 hash password, I think you can add additional VTP security mechanisms in VTP v3....

Hope this helps.


Chetan Kumar Ress Tue, 11/23/2010 - 07:43
User Badges:
  • Silver, 250 points or more


If you want to drop the L2 Protocol then you can do it , But If you will tunnel then also it will not create an issue in your network.

Please refer the belwo command   # l2protocol (Protocol) tunnel         -----> If you want to tunnel the L2 protocol

                                                  # l2protocol (Protocol Name) Drop  -----> If you want to drop the l2 protocol

In VPLS Implementation if your end devices are Metro Switch then you can do it easily , Because it support L2 Tunneling, But if you have traditional switches then might be you have to tweak the network design to implement in existing setup.


Chetan Kumar



This Discussion