About Layer 3 Interfaces
Layer 3 interfaces forward IPv4 and IPv6 packets to another device using static or dynamic routing protocols. You can use Layer 3 interfaces for IP routing and inter-VLAN routing of Layer 2 traffic.
Routed Interfaces
You can configure a port as a Layer 2 interface or a Layer 3 interface. A routed interface is a physical port that can route IP traffic to another device. A routed interface is a Layer 3 interface only and does not support Layer 2 protocols, such as the Spanning Tree Protocol (STP).
All Ethernet ports are routed interfaces by default. You can change this default behavior with the CLI setup script.
Note |
The default behavior varies based on the type of switch (Cisco Nexus 9300, Cisco Nexus 9500, or Cisco Nexus 3164). |
Note |
Cisco Nexus 9300 Series switches (except Cisco Nexus 9332 switch) have a Layer 2 default mode. |
You can assign an IP address to the port, enable routing, and assign routing protocol characteristics to this routed interface.
You can also create a Layer 3 port channel from routed interfaces. For more information about port channels, see the “Configuring Port Channels” section.
Routed interfaces support exponentially decayed rate counters. Cisco NX-OS tracks the following statistics with these averaging counters:
-
Input packets/sec
-
Output packets/sec
-
Input bytes/sec
-
Output bytes/sec
Subinterfaces
You can create virtual subinterfaces on a parent interface configured as a Layer 3 interface. A parent interface can be a physical port.
Subinterfaces divide the parent interface into two or more virtual interfaces on which you can assign unique Layer 3 parameters such as IP addresses and dynamic routing protocols. The IP address for each subinterface should be in a different subnet from any other subinterface on the parent interface.
You create a subinterface with a name that consists of the parent interface name (for example, Ethernet 2/1) followed by a period and then by a number that is unique for that subinterface. For example, you could create a subinterface for Ethernet interface 2/1 named Ethernet 2/1.1 where .1 indicates the subinterface.
Cisco NX-OS enables subinterfaces when the parent interface is enabled. You can shut down a subinterface independent of shutting down the parent interface. If you shut down the parent interface, Cisco NX-OS shuts down all associated subinterfaces as well.
One use of subinterfaces is to provide unique Layer 3 interfaces to each virtual local area network (VLAN) supported by the parent interface. In this scenario, the parent interface connects to a Layer 2 trunking port on another device. You configure a subinterface and associate the subinterface to a VLAN ID using 802.1Q trunking.
The following figure shows a trunking port from a switch that connects to router B on interface E 2/1. This interface contains three subinterfaces that are associated with each of the three VLANs carried by the trunking port.
For more information about VLANs, see the Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide.
Limitations for Subinterfaces
The following are the limitations for subinterfaces:
-
Statistics for subinterfaces are not supported.
-
Only 511 subinterfaces per routed physical interface is supported.
VLAN Interfaces
A VLAN interface, or switch virtual interface (SVI), is a virtual routed interface that connects a VLAN on the device to the Layer 3 router engine on the same device. Only one VLAN interface can be associated with a VLAN, but you need to configure a VLAN interface for a VLAN only when you want to route between VLANs or to provide IP host connectivity to the device through a virtual routing and forwarding (VRF) instance that is not the management VRF. When you enable VLAN interface creation, Cisco NX-OS creates a VLAN interface for the default VLAN (VLAN 1) to permit remote switch administration.
You must enable the VLAN network interface feature before you can see configure it. The system automatically takes a checkpoint prior to disabling the feature, and you can roll back to this checkpoint. See the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide for information on rollbacks and checkpoints.
Note |
You cannot delete the VLAN interface for VLAN 1. |
You can route across VLAN interfaces to provide Layer 3 inter-VLAN routing by configuring a VLAN interface for each VLAN that you want to route traffic to and assigning an IP address on the VLAN interface. For more information about IP addresses and IP routing, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.
The following figure shows two hosts connected to two VLANs on a device. You can configure VLAN interfaces for each VLAN that allows Host 1 to communicate with Host 2 using IP routing between the VLANs. VLAN 1 communicates at Layer 3 over VLAN interface 1 and VLAN 10 communicates at Layer 3 over VLAN interface 10.
Changing VRF Membership for an Interface
When you enter the vrf member command under an interface, you receive an alert regarding the deletion of interface configurations and to notify the clients/listeners (such as CLI-Server) to delete configurations with respect to the interface.
Entering the system vrf-member-change retain-l3-config command enables the retention of the Layer 3 configuration when the VRF member changes on the interface. It does this by sending notification to the clients/listeners to store (buffer) the existing configurations, delete the configurations from the old vrf context, and reapply the stored configurations under the new VRF context.
Note |
When the system vrf-member-change retain-l3-config command is enabled, the Layer 3 configuration is not deleted and remains stored (buffered). When this command is not enabled (default mode), the Layer 3 configuration is not retained when the VRF member changes. |
You can disable the retention of the Layer 3 configuration with the no system vrf-member-change retain-l3-config command. In this mode, the Layer 3 configuration is not retained when the VRF member changes.
Notes About Changing VRF Membership for an Interface
-
Momentary traffic loss may occur when changing the VRF name.
-
Only the configurations under the interface level are processed when the system vrf-member-change retain-l3-config command is enabled. You must manually process any configurations at the router level to accommodate routing protocols after a VRF change.
-
The system vrf-member-change retain-l3-config command supports interface level configurations with:
-
Layer 3 configurations maintained by the CLI Server, such as ip address and ipv6 address (secondary) and all OSPF/ISIS/EIGRP CLIs available under the interface configuration.
-
HSRP
-
DHCP Relay Agent CLIs, such as ip dhcp relay address [use-vrf] and ipv6 dhcp relay address [use-vrf] .
-
-
For DHCP:
-
As a best practice, the client and server interface VRF should be changed one at a time. Otherwise, the DHCP packets cannot be exchanged on the relay agent.
-
When the client and server are in different VRFs, use the ip dhcp relay address [use-vrf] command to exchange the DHCP packets in the relay agent over the different VRFs.
-
Loopback Interfaces
A loopback interface is a virtual interface with a single endpoint that is always up. Any packet transmitted over a loopback interface is immediately received by this interface. Loopback interfaces emulate a physical interface. You can configure up to 1024 loopback interfaces, numbered 0 to 1023.
You can use loopback interfaces for performance analysis, testing, and local communications. Loopback interfaces can act as a termination address for routing protocol sessions. This loopback configuration allows routing protocol sessions to stay up even if some of the outbound interfaces are down.
IP Unnumbered
The IP unnumbered feature enables the processing of IP packets on a point to point (p2p) interface without explicitly configuring a unique IP address on it. This approach borrows an IP address from another interface and conserves address space on point to point links.
Any interface which conforms to the point to point mode can be used as an IP unnumbered interface. The IP unnumbered feature is supported only on Ethernet interfaces and sub-interfaces. The borrowed interface can only be a loopback interface and is known as the numbered interface.
A loopback interface is ideal as a numbered interface in that it is always functionally up. However, because loopback interfaces are local to a switch/router, the reachability of unnumbered interfaces first needs to be established through static routes or by using an interior gateway protocol, such as OSPF or ISIS.
Configuring IP unnumbered interfaces for port channels is supported on all Cisco Nexus 9000 Series switches.
MAC-Embedded IPv6 Address
BGP allows an IPv4 prefix to be carried over an IPv6 next hop. The IPv6 next hop is leveraged to remove neighbor discovery (ND)-related traffic from the network. To do this , the MAC address is embedded in the IPv6 address. Such an address is called a MAC-embedded IPv6 (MEv6) address. The router extracts the MAC address directly from the MEv6 address instead of going through ND. Local interface and next-hop MAC addresses are extracted from the IPv6 addresses.
On MEv6-enabled IPv6 interfaces, the same MEv6-extracted MAC address is used for IPv4 traffic as well. MEv6 is supported on all Layer 3-capable interfaces except switch virtual interfaces (SVIs).
Important |
When MEv6 is enabled on an interface, ping6 to the IPv6 link local address, OSPFv3, and BFDv6 are not supported on that interface. |
High Availability
Layer 3 interfaces support stateful and stateless restarts. After the switchover, Cisco NX-OS applies the runtime configuration after the switchover.
See the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide for complete information about high availability.
Virtualization Support
Layer 3 interfaces support Virtual Routing and Forwarding instances (VRFs). VRFs exist within virtual device contexts (VDCs). By default, Cisco NX-OS places you in the default VDC and default VRF .
Note |
You must assign an interface to a VRF before you configure the IP address for that interface. |
DHCP Client
Cisco NX-OS supports DHCP client for IPv4 and IPv6 addresses on SVIs, physical Ethernet, and management interfaces. You can configure the IP address of a DHCP client by using the ip address dhcp or ipv6 address dhcp command. These commands send a request from the DHCP client to the DHCP server soliciting an IPv4 or IPv6 address from the DHCP server. The DHCP client on the Cisco Nexus switch identifies itself to the DHCP server. The DHCP server uses this identifier to send the IP address back to the DHCP client.
When a DHCP client is configured on the SVI with the DHCP server sending router and DNS options, the ip route 0.0.0.0/0 router-ip and ip name-server dns-ip commands are configured on the switch automatically.
Limitations for Using DHCP Client on Interfaces
The following are the limitations for using DHCP client on interfaces:
-
This feature is supported only on physical Ethernet interfaces, management interfaces, and SVIs.
-
This feature is supported on non-default virtual routing and forwarding (VRF) instances.
-
The DNS server and default router option-related configurations are saved in the startup configuration when you enter the copy running-config startup-config command. When you reload the switch, if this configuration is not applicable, you might have to remove it.
-
You can configure a maximum of six DNS servers on the switch, which is a switch limitation. This maximum number includes the DNS servers configured by the DHCP client and the DNS servers configured manually.
If the number of DNS servers configured on the switch is more than six, and if you get a DHCP offer for an SVI with DNS option set, the IP address is not assigned to the SVI.
-
A Cisco Nexus 9000 Series switch supports a maximum of 10 IPv4 and 10 IPv6 DHCP clients.
- DHCP relay and DHCP client configurations are incompatible and are not supported on the same switch. You must remove the DHCP relay configuration before configuring the DHCP Client on an interface.
-
When DHCP snooping is enabled on the VLAN whose SVI is configured with the DHCP client, the DHCP snooping is not enforced on the SVI DHCP client.
-
When configuring the IPv6 DHCP client, you must configure with the ipv6 address use-link-local-only command before the ipv6 address dhcp command.
Layer 3 Static MAC Addresses
You can configure a static MAC address for the following Layer 3 interfaces:
-
Layer 3 interfaces
-
Layer 3 subinterfaces
-
Layer 3 port channels
-
VLAN network interface
Note |
You cannot configure static MAC address on tunnel interfaces. |