Layer 2 Control Protocol (L2CP) Tunneling is a specialized networking feature that allows specific control frames—like STP, LACP, LLDP, or CDP—to be carried transparently across a service provider's network. Tunneling encapsulates the L2CP frames by changing customer’s reserved MAC address with a unique provider multicast MAC address.

The L2CP tunneling is supported on the IEEE 802.1Q networking for handling L2CP frames whether to forward or peer or discard them in an Ethernet network.

In Provider Bridging (PB), the IEEE 802.1Q provides a mechanism for separating the Layer2 control plane into multiple customer and provider control planes. It allows a certain layer 2 control protocol to operate only within a provider network, or to allow interaction between the customer and the provider network, or to pass transparently through a provider network with complete isolation from other customer networks.

In case of non-Provider Bridging, packet is forwarded without changing any MAC.

The behavior of an L2CP frame is a strict evaluation based on the destination MAC address and the specific service attributes configured on the interface.

When a L2CP frame is received at PE router, the device must choose one of following three paths - Discard, Peer, or Pass/Tunnel.

The document describes L2CP tunneling process in various environments such as Provider Bridge (PB), L2VPN.

In a Provider Bridging (PB) environment, L2CP tunneling allows Customer Edge (CE) nodes to exchange control plane traffic transparently across a Service Provider network. This ensures that protocols like STP or LACP remain end-to-end between customer sites rather than being intercepted by the provider.

The following illustration depicts the L2CP frames flow in a PB tunneling environment.

When a control packet arrives at a Provider Edge (PE) router on an Attachment Circuit (AC) port, the system treats it as standard customer traffic.

The LACP Exception: By default, LACP frames are often consumed (peered) by the PE to manage the local link aggregation between the CE and PE. All other L2CP protocols are typically tunneled by default.

Default L2CP decision in provider bridging case:

Enabling tunneling at interface:

Configuring egress interfaces:

To display L2protocol information:

To display L2protocol counters:

In L2VPN environments—such as VPLS (Multipoint) or VPWS (Point-to-Point) or Hybrid (Bridge+L2VPN)—L2CP tunneling ensures that Layer 2 control protocols (like STP, LLDP, or CDP) can traverse the MPLS core. This allows geographically separated Customer Edge (CE) devices to behave as if they are on the same local segment.

A Hybrid Port is a complex interface that handles both local Layer 2 switching (Bridge) and L2VPN (VPLS/VPWS) services simultaneously.

The Switch to Peering: Unlike standard AC ports, when a port is configured as Hybrid, the default behavior for L2CP often shifts to Peering mode. In this mode, the PE router "intercepts" and processes the control frames itself (e.g., the PE participates in the customer's Spanning Tree).

Overriding Behavior: If the goal is to pass these frames through to the remote site instead of processing them locally, you must manually apply L2CP override configurations (such as l2-protocol tunneling commands) to force the hybrid port back into a tunneling state for specific protocols.

The following illustration depicts the L2CP frames tunneling in a L2VPN environment.

Default L2CP behavior in VPLS/VPWS/Hybrid environments:

 

Enabling tunneling at ingress VPLS interface:

To display L2CP information:

Enabling tunneling at bridged interface:

To display L2CP information:

EVPN-MPLS utilizes the Border Gateway Protocol (BGP) as a control plane to distribute MAC addresses and reachability information, while using an MPLS data plane for transport. In this architecture, L2CP tunneling is essential for providing a "transparent wire" experience between Customer Edge (CE) devices across a Layer 3 MPLS core.

The following illustration depicts the L2CP frames tunneling in an EVPN MPLS Single Home environment.

EVPN-MPLS handles L2CP tunneling through a Sub-interface (Sub-ifp) framework. While the actual transport happens over the EVPN instance, the policy—determining which protocols are tunneled—is typically defined at the Parent Interface level (the physical port or LAG connecting the CE).

Because the MPLS core operates at Layer 3, it is naturally unaware of the Ethernet headers or Layer-2 control protocols, ensuring strict separation between the provider network and customer Layer-2 domains. This separation ensures that the provider's core routers (P-routers) are never burdened by customer’s network changes.

L2CP tunneling in EVPN-MPLS enables L2CP frames to be transparently transported between CE devices across both single-homed and multi-homed Ethernet segments. L2CP frames are identified at the ingress PE based on well-known destination MAC addresses, Ethertype values, and configured service policies, which determine whether the frames are tunneled, locally processed, or discarded.

When an L2CP frame is tunneled, the ingress PE suppresses local protocol processing and encapsulates the complete Ethernet frame into EVPN and MPLS headers before forwarding it across the MPLS core. The frame is treated as a standard data packet. Core routers perform label switching only and remain unaware of the control protocol semantics. At the egress PE removes the EVPN and MPLS encapsulation and delivers the original L2CP frame unchanged to the destination CE device. This mechanism preserves end-to-end Layer-2 control plane behavior for customer networks while maintaining isolation and scalability within the EVPN-MPLS provider infrastructure.

Default behavior is Peer.

One of the unique strengths of EVPN-MPLS is Multi-homing (All-Active or Single-Active). When L2CP frames are tunneled in a multi-homed environment, the EVPN control plane ensures that frames like STP BPDUs are handled correctly to avoid loops, often using Ethernet Segment Identifiers (ESI) to manage split-horizon forwarding.

The following illustration depicts the L2CP frames tunneling in an EVPN MPLS Multi Home environment.

 

 

L2CP tunneling provides support for tunneling control plane frames across VxLAN/MH.

 

VxLAN creates LAN segments using a MAC in IP encapsulation. The encapsulation carries the original L2 frame received from a host to the destination in another server using IP tunnels. The endpoints of the virtualized tunnel formed using VxLAN are called VTEPs (VXLAN Tunnel EndPoints).

L2CP tunneling provides support for tunneling control plane frames across VxLAN with MH/SH combination.

Any L2CP frame that is destined towards other end with a multicast destination MAC Address for L2 protocol is decided by looking at the frame and upon the configured values of the L2CP service attributes.

As and when control packets with default destination MAC address for any L2 protocol is generated, it will be forwarded by VTEPs that are part of MH towards the VTEP that is part of SH and vice versa.

During this operation, the default destination MAC address for any L2 protocol is replaced with predefined multicast address as destination for tunneling the packets across spine nodes. When tunneled control packet with pre-defined multicast address received on ingress port on the other end of the VTEP, the multicast address is replaced with corresponding control packet multicast address.