Configuring Port VLAN Mapping

This chapter contains these sections:

About Translating Incoming VLANs

Sometimes a VLAN translation is required or desired. One such use case is when a service provider has multiple customers connecting to the same physical switch using the same VLAN encapsulation, but they are not and should not be on the same Layer 2 segment. In such cases translating the incoming VLAN to a unique VLAN that is then mapped to a VNI is the right way to extending the segment. In the figure below two customers, Blue and Red are both connecting to the leaf using VLAN 10 as their encapsulation.

Customers Blue and Red should not be on the same VNI. In this example VLAN 10 for Customer Blue (on interface E1/1) is mapped/translated to VLAN 100, and VLAN 10 for customer Red (on interface E1/2) is mapped to VLAN 200. In turn, VLAN 100 is mapped to VNI 10000 and VLAN 200 is mapped to VNI 20000.

On the other leaf, this mapping is applied in reverse. Incoming VXLAN encapsulated traffic on VNI 10000 is mapped to VLAN 100 which in turn is mapped to VLAN 10 on Interface E1/1. VXLAN encapsulated traffic on VNI 20000 is mapped to VLAN 200 which in turn is mapped to VLAN 10 on Interface E1/2.

Figure 1. Logical Traffic Flow
Logical Traffic Flow

You can configure VLAN translation between the ingress (incoming) VLAN and a local (translated) VLAN on a port. For the traffic arriving on the interface where VLAN translation is enabled, the incoming VLAN is mapped to a translated VLAN that is VXLAN enabled.

On the underlay, this is mapped to a VNI, the inner dot1q is deleted, and switched over to the VXLAN network. On the egress switch, the VNI is mapped to a translated VLAN. On the outgoing interface, where VLAN translation is configured, the traffic is converted to the original VLAN and egressed out. Refer to the VLAN counters on the translated VLAN for the traffic counters and not on the ingress VLAN. Port VLAN (PV) mapping is an access side feature and is supported with both multicast and ingress replication for flood and learn and MP-BGP EVPN mode for VXLAN.

Guidelines and Limitations for Port VLAN Mapping

The following are the guidelines and Limitations for Port VLAN Mapping:

  • Support is added for vPC Fabric Peering.

  • VLAN translation is supported only on VXLAN enabled VLANs

  • The ingress (incoming) VLAN does not need to be configured on the switch as a VLAN. The translated VLAN needs to be configured and a vn-segment mapping given to it. An NVE interface with VNI mapping is essential for the same.

  • All Layer 2 source address learning and Layer 2 MAC destination lookup occurs on the translated VLAN. Refer to the VLAN counters on the translated VLAN and not on the ingress (incoming) VLAN.

  • Cisco Nexus 9300 and 9500 switches support switching and routing on overlapped VLAN interfaces. Only VLAN-mapping switching is applicable for Cisco Nexus 9300-EX/FX/FX2/FX3 platform switches and Cisco Nexus 9500 with -EX/FX line cards.

  • Port VLAN routing is supported on the following platforms:

    • Beginning with Cisco NX-OS Release 7.x, this feature is supported on Cisco Nexus 9300-EX/FX/FX2 platform switches.

    • Beginning with Cisco NX-OS Release 9.2(x), this feature is supported on Cisco Nexus 9300-GX platform switches.

    • Beginning with Cisco NX-OS Release 9.3(x), this feature is supported on Cisco Nexus 9300-FX3 platform switches.

  • Beginning with Cisco NX-OS Release 9.3(3), PV Translation is supported for Cisco Nexus 9300-GX platform switches.

  • On Cisco Nexus 9300 Series switches with NFE ASIC, PV routing is not supported on 40 G ALE ports.

  • PV routing supports configuring an SVI on the translated VLAN for flood and learn and BGP EVPN mode for VXLAN.

  • VLAN translation (mapping) is supported on Cisco Nexus 9000 Series switches with a Network Forwarding Engine (NFE).

  • When changing a property on a translated VLAN, the port that has a mapping configuration with that VLAN as the translated VLAN, must be flapped to ensure correct behavior. This is applicable only to the following platforms:

    • N9K-C9504 modules

    • N9K-C9508 modules

    • N9K-C9516 modules

    • Nexus 9400 line cards

    • Nexus 9500 line cards

    • Nexus 9600 line cards

    • Nexus 9700-X Cloud Scale line cards

    • Nexus 9600-R and R2 line cards

    Int eth 1/1
switchport vlan mapping 101 10
.
.
.
 
/***Deleting vn-segment from vlan 10.***/
/***Adding vn-segment back.***/
/***Flap Eth 1/1 to ensure correct behavior.***/

  • The following example shows incoming VLAN 10 being mapped to local VLAN 100. Local VLAN 100 will be the one mapped to a VXLAN VNI. 

    interface ethernet1/1
switchport vlan mapping 10 100

  • The following is an example of overlapping VLAN for PV translation. In the first statement, VLAN-102 is a translated VLAN with VNI mapping. In the second statement, VLAN-102 the VLAN where it is translated to VLAN-103 with VNI mapping. 

    interface ethernet1/1
switchport vlan mapping 101 102
switchport vlan mapping 102 103/

  • When adding a member to an existing port channel using the force command, the "mapping enable" configuration must be consistent. For example: 

    Int po 101
switchport vlan mapping enable
switchport vlan mapping 101 10
switchport trunk allowed vlan 10
 
int eth 1/8
/***No configuration***/

    Note

    The switchport vlan mapping enable command is supported only when the port mode is trunk.

  • Port VLAN mapping is not supported on Cisco Nexus 9200 platform switches.

  • VLAN mapping helps with VLAN localization to a port, scoping the VLANs per port. A typical use case is in the service provider environment where the service provider leaf switch has different customers with overlapping VLANs that come in on different ports. For example, customer A has VLAN 10 coming in on Eth 1/1 and customer B has VLAN 10 coming in on Eth 2/2.

    In this scenario, you can map the customer VLAN to a provider VLAN and map that to a Layer 2 VNI. There is an operational benefit in terminating different customer VLANs and mapping them to the fabric-managed VLANs, L2 VNIs.

  • An NVE interface with VNI mapping must be configured for Port VLAN translation to work.

  • Port VLAN mapping is not supported on FEX ports.

Configuring Port VLAN Mapping on a Trunk Port

Before you begin

  • Ensure that the physical or port channel on which you want to implement VLAN translation is configured as a Layer 2 trunk port.

  • Ensure that the translated VLANs are created on the switch and are also added to the Layer 2 trunk ports trunk-allowed VLAN vlan-list.


    Note

    As a best practice, do not add the ingress VLAN ID to the switchport allowed vlan-list under the interface.

  • Ensure that all translated VLANs are VXLAN enabled.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

interface type/port

Example:

switch(config)# interface Ethernet1/1

Specifies the interface that you are configuring.

Step 3

[no] switchport vlan mapping enable

Example:

switch(config-if)# [no] switchport vlan mapping enable

Enables VLAN translation on the switch port. VLAN translation is disabled by default.

Note

 

Use the no form of this command to disable VLAN translation.

Step 4

[no] switchport vlan mapping vlan-id translated-vlan-id

Example:

switch(config-if)# switchport vlan mapping 10 100

Translates a VLAN to another VLAN.

  • The range for both the vlan-id and translated-vlan-id arguments are from 1 to 4094.

  • You can configure VLAN translation between the ingress (incoming) VLAN and a local (translated) VLAN on a port. For the traffic arriving on the interface where VLAN translation is enabled, the incoming VLAN is mapped to a translated VLAN that is VXLAN enabled.

On the underlay, this is mapped to a VNI, the inner dot1q is deleted, and switched over to the VXLAN network. On the egress switch, the VNI is mapped to a local translated VLAN. On the outgoing interface, where VLAN translation is configured, the traffic is converted to the original VLAN and egresses out.

Note

 

Use the no form of this command to clear the mappings between a pair of VLANs.

Step 5

[no] switchport vlan mapping all

Example:

switch(config-if)# switchport vlan mapping all

Removes all VLAN mappings configured on the interface.

Step 6

copy running-config startup-config

Example:

switch(config-if)# copy running-config startup-config

Copies the running configuration to the startup configuration.

Note

 

The VLAN translation configuration does not become effective until the switch port becomes an operational trunk port.

Step 7

show interface [if-identifier] vlan mapping

Example:

switch# show interface ethernet1/1 vlan mapping

Displays VLAN mapping information for a range of interfaces or for a specific interface.

Example

This example shows how to configure VLAN translation between (the ingress) VLAN 10 and (the local) VLAN 100. The show vlan counters command output shows the statistic counters as translated VLAN instead of customer VLAN. 

switch#  configure terminal 
switch(config)#  interface ethernet1/1   
switch(config-if)#  switchport vlan mapping enable 
switch(config-if)#  switchport vlan mapping 10 100  
switch(config-if)#  switchport trunk allowed vlan 100 
switch(config-if)#  show interface ethernet1/1 vlan mapping 
Interface eth1/1:
Original VLAN           Translated VLAN
------------------      ---------------
10                           100  
 
switch(config-if)#  show vlan counters 
Vlan Id                             :100
Unicast Octets In                   :292442462  
Unicast Packets In                  :1950525  
Multicast Octets In                 :14619624  
Multicast Packets In                :91088  
Broadcast Octets In                 :14619624  
Broadcast Packets In                :91088  
Unicast Octets Out                  :304012656  
Unicast Packets Out                 :2061976  
L3 Unicast Octets In                :0  
L3 Unicast Packets In               :0

Configuring Inner VLAN and Outer VLAN Mapping on a Trunk Port

Configuring Inner VLAN and Outer VLAN Mapping on a Trunk Port is applicable only for Cisco Nexus 9300 platforms and not supported on Cisco Nexus 9200, 9300-EX, 9300-FX, 9300-FX2, 9300-FX3, 9300-GX, 9300-GX2, 9364C, 9332C platforms.

You can configure VLAN translation from an inner VLAN and an outer VLAN to a local (translated) VLAN on a port. For the double tag VLAN traffic arriving on the interfaces where VLAN translation is enabled, the inner VLAN and outer VLAN are mapped to a translated VLAN that is VXLAN enabled.

Notes for configuring inner VLAN and outer VLAN mapping:

  • Inner and outer VLAN cannot be on the trunk allowed list on a port where inner VLAN and outer VLAN is configured.

    For example: 

    
switchport vlan mapping 11 inner 12 111
switchport trunk allowed vlan 11-12,111 /***Not valid because 11 is outer VLAN and 12 is inner VLAN.***/

  • On the same port, no two mapping (translation) configurations can have the same outer (or original) or translated VLAN. Multiple inner VLAN and outer VLAN mapping configurations can have the same inner VLAN.

    For example: 

     
switchport vlan mapping 101 inner 102 1001
switchport vlan mapping 101 inner 103 1002  /***Not valid because 101 is already used as an original VLAN.***/
switchport vlan mapping 111 inner 104 1001  /***Not valid because 1001 is already used as a translated VLAN.***/
switchport vlan mapping 106 inner 102 1003  /***Valid because inner vlan can be the same.***/

  • When a packet comes double-tagged on a port which is enabled with the inner option, only bridging is supported.

  • VXLAN PV routing is not supported for double-tagged frames.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface type port

Enters interface configuration mode.

Step 3

[no] switchport mode trunk

Enters trunk configuration mode.

Step 4

switchport vlan mapping enable

Enables VLAN translation on the switch port. VLAN translation is disabled by default.

Note

 

Use theno form of this command to disable VLAN translation.

Step 5

switchport vlan mapping outer-vlan-id inner inner-vlan-id translated-vlan-id

Translates inner VLAN and outer VLAN to another VLAN.

Step 6

(Optional) copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Note

 

The VLAN translation configuration does not become effective until the switch port becomes an operational trunk port

Step 7

(Optional) show interface [if-identifier] vlan mapping

(Optional)

Displays VLAN mapping information for a range of interfaces or for a specific interface.

Example

This example shows how to configure translation of double tag VLAN traffic (inner VLAN 12; outer VLAN 11) to VLAN 111. 


switch# configure terminal
switch(config)# interface ethernet1/1
switch(config-if)# switchport mode trunk
switch(config-if)# switchport vlan mapping enable 
switch(config-if)# switchport vlan mapping 11 inner 12 111  
switch(config-if)# switchport trunk allowed vlan 101-170
switch(config-if)# no shutdown

switch(config-if)# show mac address-table dynamic vlan 111

Legend: 
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link,
        (T) - True, (F) - False
   VLAN     MAC Address      Type      age     Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
*  111     0000.0092.0001   dynamic  0         F      F    nve1(100.100.100.254)
*  111     0000.0940.0001   dynamic  0         F      F    Eth1/1