802.1Q Tunnels

This chapter contains the following sections:

About ACI 802.1Q Tunnels

Figure 1. ACI 802.1Q Tunnels

You can configure 802.1Q tunnels on edge (tunnel) ports to enable point-to-multi-point tunneling of Ethernet frames in the fabric, with Quality of Service (QoS) priority settings. A Dot1q tunnel transports untagged, 802.1Q tagged, and 802.1ad double-tagged frames as-is across the fabric. Each tunnel carries the traffic from a single customer and is associated with a single bridge domain. Cisco Application Centric Infrastructure (ACI) front panel ports can be part of a Dot1q tunnel. Layer 2 switching is done based on the destination MAC (DMAC) and regular MAC learning is done in the tunnel. Edge port Dot1q tunnels are supported on Cisco Nexus 9000 series switches with "EX" or later suffixes in the switch model name.

You can configure multiple 802.1Q tunnels on the same core port to carry double-tagged traffic from multiple customers, each distinguished with an access encapsulation configured for each 802.1Q tunnel. You can also disable MAC address learning on 802.1Q tunnels. Both edge ports and core ports can belong to an 802.1Q tunnel with access encapsulation and disabled MAC address learning. Both edge ports and core ports in Dot1q tunnel are supported on Cisco Nexus 9000 series switches with "FX" or later suffixes in the switch model name.

IGMP and MLD packets can be forwarded through 802.1Q tunnels.

Terms used in this document may be different in the Cisco Nexus 9000 Series documents.

Table 1. 802.1Q Tunnel Terminology

ACI Documents

Cisco Nexus 9000 Series Documents

Edge Port

Tunnel Port

Core Port

Trunk Port

The following guidelines and restrictions apply:

  • Layer 2 tunneling of VTP, CDP, LACP, LLDP, and STP protocols is supported with the following restrictions:

    • Link Aggregation Control Protocol (LACP) tunneling functions as expected only with point-to-point tunnels using individual leaf interfaces. It is not supported on port channels (PCs) or virtual port channels (vPCs).

    • CDP and LLDP tunneling with PCs or vPCs is not deterministic; it depends on the link it chooses as the traffic destination.

    • To use VTP for Layer 2 protocol tunneling, CDP must be enabled on the tunnel.

    • STP is not supported in an 802.1Q tunnel bridge domain when Layer 2 protocol tunneling is enabled and the bridge domain is deployed on Dot1q tunnel core ports.

    • Cisco ACI leaf switches react to STP TCN packets by flushing the end points in the tunnel bridge domain and flooding them in the bridge domain.

    • CDP and LLDP tunneling with more than two interfaces flood packets on all interfaces.

    • The destination MAC address of Layer 2 protocol packets tunneled from edge to core ports is rewritten as 01-00-0c-cd-cd-d0 and the destination MAC address of Layer 2 protocol packets tunneled from core to edge ports is rewritten with the standard default MAC address for the protocol.

  • If a PC or vPC is the only interface in a Dot1q tunnel and it is deleted and reconfigured, remove the association of the PC/VPC to the Dot1q tunnel and reconfigure it.

  • For 802.1Q tunnels deployed on switches that have EX in the product ID, Ethertype combinations of 0x8100+0x8100, 0x8100+0x88a8, 0x88a8+0x8100, and 0x88a8+0x88a8 for the first two VLAN tags are not supported.

    If the tunnels are deployed on a combination of EX and FX or later switches, then this restriction still applies.

    If the tunnels are deployed only on switches that have FX or later in the product ID, then this restriction does not apply.

  • For core ports, the Ethertypes for double-tagged frames must be 0x8100 followed by 0x8100.

  • You can include multiple edge ports and core ports (even across leaf switches) in a Dot1q tunnel.

  • An edge port may only be part of one tunnel, but a core port can belong to multiple Dot1q tunnels.

  • Regular EPGs can be deployed on core ports that are used in 802.1Q tunnels.

  • L3Outs are not supported on interfaces enabled for Dot1q tunnel.

  • FEX interfaces are not supported as members of a Dot1q tunnel.

  • Interfaces configured as breakout ports do not support 802.1Q tunnels.

  • Interface-level statistics are supported for interfaces in Dot1q tunnel, but statistics at the tunnel level are not supported.

Configuring 802.1Q Tunnels Using the GUI

Configuring 802.1Q Tunnel Interfaces Using the APIC GUI

Configure the interfaces that will use the tunnel, with the following steps:

Before you begin

Create the tenant that will be using the tunnel.

Procedure


Step 1

On the menu bar, click Fabric > Access Policies.

Step 2

On the Navigation bar, click Policies > Interface > L2 Interface.

Step 3

Right-click L2 Interface, select Create L2 Interface Policy, and perform the following actions:

  1. In the Name field, type a name for the Layer 2 Interface policy.

  2. Optional. Add a description of the policy. We recommended that you describe the purpose for the L2 Interface Policy.

  3. To create an interface policy that enables an interface to be used as an edge port in a Dot1q Tunnel, in the QinQ field, click edgePort.

  4. To create an interface policy that enables an interface to be used as a core port in Dot1q Tunnels, in the QinQ field, click corePort.

Step 4

Apply the L2 Interface policy to a Policy Group with the following steps:

  1. Click on Fabric > Access Policies > Interfaces > Leaf Interfaces and expand Policy Groups.

  2. Right-click Leaf Access Port, PC Interface, or VPC Interface and choose one of the following, depending on the type of interface you are configuring for the tunnel.

    • Create Leaf Access Port Policy Group

    • Create PC Policy Group

    • Create VPC Policy Group

  3. In the resulting dialog box, perform the following actions:

    • In the Name field, type a name for the policy group.

      Optional. Add a description of the policy group. We recommend that you describe the purpose of the policy group.

    • In the L2 Interface Policy field, click on the down-arrow and choose the L2 Interface Policy that you previously created.

    • If you are tunneling the CDP Layer 2 Tunneled Protocol, click on the CDP Policy down-arrow, and in the policy dialog box add a name for the policy, disable the Admin State and click Submit..

    • If you are tunneling the LLDP Layer 2 Tunneled Protocol, click on the LLDP Policy down-arrow, and in the policy dialog box add a name for the policy, disable the Transmit State and click Submit.

    • Click Submit.

Step 5

Create a Leaf Interface Profile with the following steps:

  1. Click on Fabric > Access Policies > Interfaces > Leaf Interfaces > Profiles.

  2. Right-click on Profiles, select Create Leaf Interface Profile, and perform the following steps:

    • In the Name field, type a name for the Leaf Interface Profile.

      Optional. Add a description.

    • In the Interface Selectors field, click the +, and enter the following information:

      • In the Name field, type a name for the interface selector.

        Optional. Add a description.

      • In the Interface IDs field, enter the Dot1q Tunnel interface or multiple interfaces to be included in the tunnel.

      • In the Interface Policy Group field, click on the down arrow and select the interface policy group that you previously created .

Step 6

To create a static binding of the tunnel configuration to a port, click on Tenant > Networking > Dot1Q Tunnels. Expand Dot1Q Tunnels and click on the Dot1Q Tunnels policy_name perviously created and perform the following actions:

  1. Expand the Static Bindings table to open Create Static Binding dialog box.

  2. In the Port field, select the type of port.

  3. In the Node field, select a node from the drop-down.

  4. In the Path field, select the interface path from the drop-down and click Submit.


Configuring 802.1Q Tunnels Using the NX-OS Style CLI

Configuring 802.1Q Tunnels Using the NX-OS Style CLI


Note


You can use ports, port-channels, or virtual port channels for interfaces included in a Dot1q Tunnel. Detailed steps are included for configuring ports. See the examples below for the commands to configure edge and core port-channels and virtual port channels.


Create a Dot1q Tunnel and configure the interfaces for use in the tunnel using the NX-OS Style CLI, with the following steps:


Note


Dot1q Tunnels must include 2 or more interfaces. Repeat the steps (or configure two interfaces together), to mark each interface for use in a Dot1q Tunnel. In this example, two interfaces are configured as edge-switch ports, used by a single customer.


Use the following steps to configure a Dot1q Tunnel using the NX-OS style CLI:

  1. Configure at least two interfaces for use in the tunnel.

  2. Create a Dot1q Tunnel.

  3. Associate all the interfaces with the tunnel.

Before you begin

Configure the tenant that will use the Dot1q Tunnel.

SUMMARY STEPS

  1. configure
  2. Configure two interfaces for use in an 802.1Q tunnel, with the following steps:
  3. leaf ID
  4. interface ethernet slot/port
  5. switchport mode dot1q-tunnel {edgePort | corePort}
  6. Create an 802.1Q tunnel with the following steps:
  7. leaf ID
  8. interface ethernetslot/port
  9. switchport tenanttenant-namedot1q-tunnel tunnel-name
  10. Repeat steps 7 to 10 to associate other interfaces with the tunnel.

DETAILED STEPS

  Command or Action Purpose

Step 1

configure

Example:

apic1# configure

Enters configuration mode.

Step 2

Configure two interfaces for use in an 802.1Q tunnel, with the following steps:

Step 3

leaf ID

Example:

apic1(config)# leaf 101

Identifies the leaf where the interfaces of the Dot1q Tunnel will be located.

Step 4

interface ethernet slot/port

Example:

apic1(config-leaf)# interface ethernet 1/13-14

Identifies the interface or interfaces to be marked as ports in a tunnel.

Step 5

switchport mode dot1q-tunnel {edgePort | corePort}

Example:

apic1(config-leaf-if)# switchport mode dot1q-tunnel edgePort
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)# exit

Marks the interfaces for use in an 802.1Q tunnel, and then leaves the configuration mode.

The example shows configuring some interfaces for edge port use. Repeat steps 3 to 5 to configure more interfaces for the tunnel.

Step 6

Create an 802.1Q tunnel with the following steps:

Step 7

leaf ID

Example:


apic1(config)# leaf 101

Returns to the leaf where the interfaces are located.

Step 8

interface ethernetslot/port

Example:


apic1(config-leaf)# interface ethernet 1/13-14

Returns to the interfaces included in the tunnel.

Step 9

switchport tenanttenant-namedot1q-tunnel tunnel-name

Example:


apic1(config-leaf-if)# switchport  tenant  tenant64  dot1q-tunnel  vrf64_edgetunnel
apic1(config-leaf-if)# exit

Associates the interfaces to the tunnel and exits the configuration mode.

Step 10

Repeat steps 7 to 10 to associate other interfaces with the tunnel.

Example: Configuring an 802.1Q Tunnel Using Ports with the NX-OS Style CLI

The example marks two ports as edge port interfaces to be used in a Dot1q Tunnel, marks two more ports to be used as core port interfaces, creates the tunnel, and associates the ports with the tunnel.

apic1# configure
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/13-14
apic1(config-leaf-if)# switchport mode dot1q-tunnel edgePort
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)leaf 102
apic1(config-leaf)# interface ethernet 1/10, 1/21
apic1(config-leaf-if)# switchport mode dot1q-tunnel corePort
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)# tenant tenant64
apic1(config-tenant)# dot1q-tunnel vrf64_tunnel
apic1(config-tenant-tunnel)# l2protocol-tunnel cdp
apic1(config-tenant-tunnel)# l2protocol-tunnel lldp
apic1(config-tenant-tunnel)#  access-encap 200
apic1(config-tenant-tunnel)# mac-learning disable
apic1(config-tenant-tunnel)# exit
apic1(config-tenant)# exit
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/13-14
apic1(config-leaf-if)# switchport tenant tenant64 dot1q-tunnel vrf64_tunnel
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)# leaf 102
apic1(config-leaf)# interface ethernet 1/10, 1/21
apic1(config-leaf-if)# switchport tenant tenant64 dot1q-tunnel vrf64_tunnel
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit

Example: Configuring an 802.1Q Tunnel Using Port-Channels with the NX-OS Style CLI

The example marks two port-channels as edge-port 802.1Q interfaces, marks two more port-channels as core-port 802.1Q interfaces, creates a Dot1q Tunnel, and associates the port-channels with the tunnel.


apic1# configure
apic1(config)# tenant tenant64
apic1(config-tenant)# dot1q-tunnel vrf64_tunnel
apic1(config-tenant-tunnel)# l2protocol-tunnel cdp
apic1(config-tenant-tunnel)# l2protocol-tunnel lldp
apic1(config-tenant-tunnel)#  access-encap 200
apic1(config-tenant-tunnel)# mac-learning disable
apic1(config-tenant-tunnel)# exit
apic1(config-tenant)# exit
apic1(config)# leaf 101
apic1(config-leaf)# interface port-channel pc1
apic1(config-leaf-if)# exit
apic1(config-leaf)# interface ethernet 1/2-3
apic1(config-leaf-if)# channel-group pc1
apic1(config-leaf-if)# exit
apic1(config-leaf)# interface port-channel pc1
apic1(config-leaf-if)# switchport mode dot1q-tunnel edgePort
apic1(config-leaf-if)# switchport tenant tenant64 dot1q-tunnel vrf64_tunnel
apic1(config-tenant-tunnel)# exit
apic1(config-tenant)# exit
apic1(config)# leaf 102
apic1(config-leaf)# interface port-channel pc2
apic1(config-leaf-if)# exit
apic1(config-leaf)# interface ethernet 1/4-5
apic1(config-leaf-if)# channel-group pc2
apic1(config-leaf-if)# exit
apic1(config-leaf)# interface port-channel pc2
apic1(config-leaf-if)# switchport mode dot1q-tunnel corePort
apic1(config-leaf-if)# switchport tenant tenant64 dot1q-tunnel vrf64_tunnel

Example: Configuring an 802.1Q Tunnel Using Virtual Port-Channels with the NX-OS Style CLI

The example marks two virtual port-channels (vPCs) as edge-port 802.1Q interfaces for theDot1q Tunnel, marks two more vPCs as core-port interfaces for the tunnel, creates the tunnel, and associates the virtual port-channels with the tunnel.

apic1# configure
apic1(config)# vpc domain explicit 1 leaf 101 102
apic1(config)# vpc context leaf 101 102
apic1(config-vpc)# interface vpc vpc1
apic1(config-vpc-if)# switchport mode dot1q-tunnel edgePort
apic1(config-vpc-if)# exit
apic1(config-vpc)# exit
apic1(config)# vpc domain explicit 1 leaf 103 104
apic1(config)# vpc context leaf 103 104
apic1(config-vpc)# interface vpc vpc2
apic1(config-vpc-if)# switchport mode dot1q-tunnel corePort
apic1(config-vpc-if)# exit
apic1(config-vpc)# exit
apic1(config)# tenant tenant64
apic1(config-tenant)# dot1q-tunnel vrf64_tunnel
apic1(config-tenant-tunnel)# l2protocol-tunnel cdp
apic1(config-tenant-tunnel)# l2protocol-tunnel lldp
apic1(config-tenant-tunnel)#  access-encap 200
apic1(config-tenant-tunnel)# mac-learning disable
apic1(config-tenant-tunnel)# exit
apic1(config-tenant)# exit
apic1(config)# leaf 103
apic1(config-leaf)# interface ethernet 1/6
apic1(config-leaf-if)# channel-group vpc1 vpc
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)# leaf 104
apic1(config-leaf)# interface ethernet 1/6
apic1(config-leaf-if)# channel-group vpc1 vpc
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit 
apic1(config-vpc)# interface vpc vpc1
apic1(config-vpc-if)# switchport tenant tenant64 dot1q-tunnel vrf64_tunnel 
apic1(config-vpc-if)# exit