diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
index 1a61fd08ae..5e31f8855a 100644
--- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
@@ -118,11 +118,17 @@ parameters:
       Set or un-set the tunnel header checksum  on outgoing IP packet
       carrying GRE/VXLAN tunnel.
     type: boolean
+  NeutronPermittedEthertypes:
+    default: []
+    description: |
+      Set additional ethertypes to to be configured on neutron firewalls.
+    type: comma_delimited_list
 
 conditions:
   no_firewall_driver: {equals : [{get_param: NeutronOVSFirewallDriver}, '']}
   docker_puppet_mount_host: {equals: [{get_param: DockerPuppetMountHostPuppet}, true]}
   neutron_dvr_unset: {equals : [{get_param: NeutronEnableDVR}, '']}
+  ethertypes_unset: {equals : [{get_param: NeutronPermittedEthertypes}, []]}
 
 resources:
 
@@ -206,6 +212,12 @@ outputs:
             - no_firewall_driver
             - {}
             - neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+          -
+            if:
+            - ethertypes_unset
+            - {}
+            - neutron::agents::ml2::ovs::permitted_ethertypes: {get_param: NeutronPermittedEthertypes}
+
       service_config_settings:
         map_merge:
           - get_attr: [NeutronBase, role_data, service_config_settings]
diff --git a/releasenotes/notes/neutron-permitted-ethertypes-80dc7f2154786881.yaml b/releasenotes/notes/neutron-permitted-ethertypes-80dc7f2154786881.yaml
new file mode 100644
index 0000000000..5a89a10aad
--- /dev/null
+++ b/releasenotes/notes/neutron-permitted-ethertypes-80dc7f2154786881.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added NeutronPermittedEthertypes to allow configuring additional ethertypes
+    on neutron security groups for L2 agents that support it.