About ACI 802.1Q Tunnels
You can configure 802.1Q tunnels on edge (tunnel) ports to enable point-to-multi-point tunneling of Ethernet frames in the fabric, with Quality of Service (QoS) priority settings. A Dot1q tunnel transports untagged, 802.1Q tagged, and 802.1ad double-tagged frames as-is across the fabric. Each tunnel carries the traffic from a single customer and is associated with a single bridge domain. Cisco Application Centric Infrastructure (ACI) front panel ports can be part of a Dot1q tunnel. Layer 2 switching is done based on the destination MAC (DMAC) and regular MAC learning is done in the tunnel. Edge port Dot1q tunnels are supported on Cisco Nexus 9000 series switches with "EX" or later suffixes in the switch model name.
You can configure multiple 802.1Q tunnels on the same core port to carry double-tagged traffic from multiple customers, each distinguished with an access encapsulation configured for each 802.1Q tunnel. You can also disable MAC address learning on 802.1Q tunnels. Both edge ports and core ports can belong to an 802.1Q tunnel with access encapsulation and disabled MAC address learning. Both edge ports and core ports in Dot1q tunnel are supported on Cisco Nexus 9000 series switches with "FX" or later suffixes in the switch model name.
IGMP and MLD packets can be forwarded through 802.1Q tunnels.
Terms used in this document may be different in the Cisco Nexus 9000 Series documents.
ACI Documents |
Cisco Nexus 9000 Series Documents |
---|---|
Edge Port |
Tunnel Port |
Core Port |
Trunk Port |
The following guidelines and restrictions apply:
-
Layer 2 tunneling of VTP, CDP, LACP, LLDP, and STP protocols is supported with the following restrictions:
-
Link Aggregation Control Protocol (LACP) tunneling functions as expected only with point-to-point tunnels using individual leaf interfaces. It is not supported on port channels (PCs) or virtual port channels (vPCs).
-
CDP and LLDP tunneling with PCs or vPCs is not deterministic; it depends on the link it chooses as the traffic destination.
-
To use VTP for Layer 2 protocol tunneling, CDP must be enabled on the tunnel.
-
STP is not supported in an 802.1Q tunnel bridge domain when Layer 2 protocol tunneling is enabled and the bridge domain is deployed on Dot1q tunnel core ports.
-
Cisco ACI leaf switches react to STP TCN packets by flushing the end points in the tunnel bridge domain and flooding them in the bridge domain.
-
CDP and LLDP tunneling with more than two interfaces flood packets on all interfaces.
-
The destination MAC address of Layer 2 protocol packets tunneled from edge to core ports is rewritten as 01-00-0c-cd-cd-d0 and the destination MAC address of Layer 2 protocol packets tunneled from core to edge ports is rewritten with the standard default MAC address for the protocol.
-
-
If a PC or vPC is the only interface in a Dot1q tunnel and it is deleted and reconfigured, remove the association of the PC/VPC to the Dot1q tunnel and reconfigure it.
-
For 802.1Q tunnels deployed on switches that have EX in the product ID, Ethertype combinations of 0x8100+0x8100, 0x8100+0x88a8, 0x88a8+0x8100, and 0x88a8+0x88a8 for the first two VLAN tags are not supported.
If the tunnels are deployed on a combination of EX and FX or later switches, then this restriction still applies.
If the tunnels are deployed only on switches that have FX or later in the product ID, then this restriction does not apply.
-
For core ports, the Ethertypes for double-tagged frames must be 0x8100 followed by 0x8100.
-
You can include multiple edge ports and core ports (even across leaf switches) in a Dot1q tunnel.
-
An edge port may only be part of one tunnel, but a core port can belong to multiple Dot1q tunnels.
-
Regular EPGs can be deployed on core ports that are used in 802.1Q tunnels.
-
L3Outs are not supported on interfaces enabled for Dot1q tunnel.
-
FEX interfaces are not supported as members of a Dot1q tunnel.
-
Interfaces configured as breakout ports do not support 802.1Q tunnels.
-
Interface-level statistics are supported for interfaces in Dot1q tunnel, but statistics at the tunnel level are not supported.
-
802.1Q tunnels are supported across multi-pod fabrics, but not supported across multi-site.