Q-in-Q Encapsulation Mapping for EPGs

Q-in-Q Encapsulation Mapping for EPGs

Using Cisco Application Policy Infrastructure Controller (APIC), you can map double-tagged VLAN traffic ingressing on a regular interface, PC, or vPC to an EPG. When this feature is enabled, when double-tagged traffic enters the network for an EPG, both tags are processed individually in the fabric and restored to double-tags when egressing the Cisco Application Centric Infrastructure (ACI) switch. Ingressing single-tagged and untagged traffic is dropped.

The following guidelines and limitations apply:

  • This feature is only supported on Cisco Nexus 9300-FX platform switches.

  • Both the outer and inner tag must be of EtherType 0x8100.

  • MAC learning and routing are based on the EPG port, sclass, and VRF instance, not on the access encapsulations.

  • QoS priority settings are supported, derived from the outer tag on ingress, and rewritten to both tags on egress.

  • EPGs can simultaneously be associated with other interfaces on a leaf switch, that are configured for single-tagged VLANs.

  • Service graphs are supported for provider and consumer EPGs that are mapped to Q-in-Q encapsulated interfaces. You can insert service graphs, as long as the ingress and egress traffic on the service nodes is in single-tagged encapsulated frames.

  • When vPC ports are enabled for Q-in-Q encapsulation mode, VLAN consistency checks are not performed.

The following features and options are not supported with this feature:

  • Per-port VLAN feature

  • FEX connections

  • Mixed mode

    For example, an interface in Q-in-Q encapsulation mode can have a static path binding to an EPG with double-tagged encapsulation only, not with regular VLAN encapsulation.

  • STP and the "Flood in Encapsulation" option

  • Untagged and 802.1p mode

  • Multi-pod and Multi-Site

  • Legacy bridge domain

  • L2Out and L3Out connections

  • VMM integration

  • Changing a port mode from routed to Q-in-Q encapsulation mode

  • Per-VLAN mis-cabling protocol on ports in Q-in-Q encapsulation mode

Configuring Q-in-Q Encapsulation Mapping for EPGs Using the GUI

Enabling Q-in-Q Encapsulation on Specific Leaf Switch Interfaces Using the GUI

Leaf switch ports, PCs, or vPCs are enabled for Q-in-Q encapsulation mode in the Interface tab of one of the following locations in the APIC GUI.

  • Fabric > Inventory > Topology

  • Fabric > Inventory > Pod

  • Fabric > Inventory > Pod > leaf-name

Configure vPCs on the Topology or Pod Interface tab.

Before you begin

The tenant, application profile, and the application EPG that will be mapped with an interface configured for Q-in-Q mode should be created.

Procedure


Step 1

On the menu bar, choose Fabric > Inventory and click Topology, Pod, or expand Pod and choose a leaf.

Step 2

On the Topology or Pod panel Interface tab.

Step 3

Click the Operation/Configuration toggle-button to display the configuration panel.

Step 4

Click + to add diagrams of leaf switches, choose one or more switches, and click Add Selected.

On the leaf-name panel Interface tab, a diagram of the switch appears automatically, after you click the Operation/Configurationtoggle-button.

Step 5

Click the interfaces to be enabled for Q-in-Q encapsulation mode.

Step 6

To configure a port, perform the following steps:

  1. Click L2 on the upper left.

  2. On the L2 tab, on the L2 QinQ State field, click Double Q Tag Port and click Submit

Step 7

To configure a PC, perform the following steps:

  1. Click PC on the upper left.

  2. On the Physical Interface tab, enter the Policy Group Name.

  3. On the L2 tab, on the L2 QinQ State field, click Double Q Tag Port and click Submit

Step 8

To configure a vPC, perform the following steps:

  1. On two leaf switch diagrams, click the interfaces for the two legs of the VPC.

  2. Click vPC.

  3. On the Physical Interface tab, enter the Logical Pair ID (The identifier for the auto-protection group. Each protection group has a unique ID. The ID is a range of 1 to 1000) and the Policy Group Name.

  4. On the L2 tab, on the L2 QinQ State field, click Double Q Tag Port and click Submit


Enabling Q-in-Q Encapsulation for Leaf Interfaces With Fabric Interface Policies Using the GUI

Enable leaf interfaces, PCs, and vPCs for Q-in-Q encapsulation, using a leaf interface profile.

Before you begin

The tenant, application profile, and the application EPG that will be mapped with an interface configured for Q-in-Q mode should be created.

Procedure


Step 1

On the menu bar, click Fabric > External Access Policies.

Step 2

On the Navigation bar, click Policies > Interface > L2 Interface.

Step 3

Right-click L2 Interface, select Create L2 Interface Policy, and perform the following actions:

  1. In the Name field, enter a name for the Layer 2 Interface policy.

  2. Optional. Add a description of the policy. We recommend that you describe the purpose for the L2 Interface Policy.

  3. To create an interface policy that enables Q-in-Q encapsulation, in the QinQ field, click doubleQtagPort.

  4. Click Submit.

Step 4

Apply the L2 Interface policy to a Policy Group with the following steps:

  1. Click on Fabric > External Access Policies > Interfaces > Leaf Interfaces, and expand Policy Groups.

  2. Right-click Leaf Access Port, PC Interface, or vPC Interface and choose one of the following, depending on the type of interface you are configuring for the tunnel.

    • Create Leaf Access Port Policy Group

    • Create PC Policy Group

    • Create vPC Policy Group

  3. In the resulting dialog box, enter the policy group name, choose the L2 Interface policy that you previously created, and click Submit.

Step 5

Create a Leaf Interface Profile with the following steps:

  1. Click on Fabric > External Access Policies > Interface > Leaf Interfaces > Profiles.

  2. Right-click on Leaf Profiles, choose Create Leaf Interface Policy, and perform the following steps:

    • In the Name field, type a name for the Leaf Interface Profile.

      Optional. Add a description.

    • On the Interface Selectors field, click the +, and enter the following information:

      • In the Name field, type a name for the interface selector.

        Optional. Add a description.

      • Enter the selector name, and optionally, a description.

      • In the Interface IDs field, enter the interface or multiple interfaces to be included in the profile.

      • In the Interface Policy Group field, choose the interface policy group that you previously created.


Mapping an EPG to a Q-in-Q Encapsulation-Enabled Interface Using the GUI

You can associate EPGs with Q-in-Q encapsulation-enabled interfaces in one of the following models:

  • Deploy a static EPG on specific Q-in-Q encapsulation-enabled interfaces

  • Statically link an EPG with a Q-in-Q encapsulation-enabled leaf switch

  • Associate an EPG with a Q-in-Q encapsulation-enabled endpoint (with a static MAC address)

All three tasks are performed in the same area of the APIC GUI.

Before you begin

  • Create the tenant, application profile, and application EPG that will be mapped with an interface configured for Q-in-Q mode.

  • The target interfaces should be configured for Q-in-Q encapsulation.

SUMMARY STEPS

  1. In the menu bar, click Tenants > tenant-name.
  2. In the Navigation pane, expand Application Profiles > > application-profile-name > Application EPGs > application-EPG-name.
  3. To deploy a static EPG on an interface, PC, or vPC that has been enabled for Q-in-Q mode, perform the following steps:
  4. To statically link an EPG with a node enabled with Q-in-Q mode, perform the following steps:
  5. To associate an EPG with a static endpoint, perform the following steps:

DETAILED STEPS


Step 1

In the menu bar, click Tenants > tenant-name.

Step 2

In the Navigation pane, expand Application Profiles > > application-profile-name > Application EPGs > application-EPG-name.

Step 3

To deploy a static EPG on an interface, PC, or vPC that has been enabled for Q-in-Q mode, perform the following steps:

  1. Under the application EPG, right- click Static Ports and choose Deploy Static EPG on PC, vPC, or Interface.

  2. Choose the path type, the node, and the path to the Q-in-Q enabled interface.

  3. On the Port Encap (or Secondary VLAN for Micro-Seg) field, choose QinQ and enter the outer and inner VLAN tags for traffic mapped to the EPG.

  4. Click Submit.

Step 4

To statically link an EPG with a node enabled with Q-in-Q mode, perform the following steps:

  1. Under the application EPG, right- click Static Leafs and choose Statically Link With Node.

  2. In the Node field, choose the Q-in-Q-enabled switches from the list.

  3. On the Encap field, choose QinQ and enter the outer and inner VLAN tags for the EPG.

  4. Click Submit.

Step 5

To associate an EPG with a static endpoint, perform the following steps:

  1. Under the application EPG, right- click Static EndPoints and choose Create Static EndPoint.

  2. Enter the MAC address of the interface.

  3. Choose the path type, node, and path to the Q-in-Q encapsulation-enabled interface.

  4. Optional. Add IP addresses for the endpoint.

  5. On the Encap field, choose QinQ and enter the outer and inner VLAN tags.

  6. Click Submit.


Mapping EPGs to Q-in-Q Encapsulated Leaf Interfaces Using the NX-OS Style CLI

Enable an interface for Q-in-Q encapsulation and associate the interface with an EPG.

Before you begin

Create the tenant, application profile, and application EPG that will be mapped with an interface configured for Q-in-Q mode.

SUMMARY STEPS

  1. Configure
  2. leaf number
  3. interface ethernetslot/port
  4. switchport mode dot1q-tunnel doubleQtagPort
  5. switchport trunkqinq outer-vlanvlan-number inner-vlan vlan-number tenant tenant-name application application-name epg epg-name

DETAILED STEPS

  Command or Action Purpose

Step 1

Configure

Example:

apic1# configure

Enters global configuration mode.

Step 2

leaf number

Example:

apic1(config)# leaf 101

Specifies the leaf to be configured.

Step 3

interface ethernetslot/port

Example:

apic1 (config-leaf)# interface ethernet 1/25

Specifies the interface to be configured.

Step 4

switchport mode dot1q-tunnel doubleQtagPort

Example:

apic1(config-leaf-if)# switchport mode dot1q-tunnel doubleQtagPort

Enables an interface for Q-in-Q encapsulation.

Step 5

switchport trunkqinq outer-vlanvlan-number inner-vlan vlan-number tenant tenant-name application application-name epg epg-name

Example:

apic1(config-leaf-if)# switchport trunk qinq outer-vlan 202 inner-vlan 203 tenant tenant64 application AP64 epg EPG64

Associates the interface with an EPG.

Example

The following example enables Q-in-Q encapsulation (with outer-VLAN ID 202 and inner-VLAN ID 203) on the leaf interface 101/1/25, and associates the interface with EPG64.

apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/25
apic1(config-leaf-if)#switchport mode dot1q-tunnel doubleQtagPort
apic1(config-leaf-if)# switchport trunk qinq outer-vlan 202 inner-vlan 203 tenant tenant64 application AP64 epg EPG64

Mapping EPGs to Q-in-Q Encapsulation Enabled Interfaces Using the REST API

Before you begin

Create the tenant, application profile, and application EPG that will be mapped with an interface configured for Q-in-Q mode.

SUMMARY STEPS

  1. Enable an interface for Q-in-Q encapsulation and associate the interface with an EPG, with XML such as the following example:

DETAILED STEPS


Enable an interface for Q-in-Q encapsulation and associate the interface with an EPG, with XML such as the following example:

Example:

<polUni>
  <fvTenant dn="uni/tn-tenant64" name="tenant64">
    <fvCtx name="VRF64"/>
    <fvBD name="BD64_1">
      <fvRsCtx tnFvCtxName="VRF64"/>
      <fvSubnet ip="20.0.1.2/24"/>
    </fvBD>
    <fvAp name="AP64">
      <fvAEPg name="WEB7">
        <fvRsBd tnFvBDName="BD64_1"/>
        <fvRsQinqPathAtt tDn="topology/pod-1/paths-101/pathep-[eth1/25]" encap="qinq-202-203"/>
      </fvAEPg>
    </fvAp>
  </fvTenant>
</polUni>