VXLAN Cross Connect has the following guidelines and limitations:

• When an upgrade is performed non-disruptively from Cisco NX-OS Release 7.0(3)I7(4) to Cisco NX-OS Release 9.2(x) code, and if a VLAN is created and configured as xconnect, you must enter the copy running-config startup-config command and reload the switch. If the box was upgraded disruptively to Cisco NX-OS Release 9.2(x) code, a reload is not needed on configuring a VLAN as xconnect.

• MAC learning will be disabled on the xconnect VNIs and none of the host MAC will be learned on the tunnel access ports.

• Only supported on a BGP EVPN topology.

• LACP bundling of attachment circuits is not supported.

• Only one attachment circuit can be configured for a provider VNI on a given VTEP.

• A VNI can only be stretched in a point-to-point fashion. Point-to-multipoint is not supported.

• SVI on an xconnect VLAN is not supported.

• ARP suppression is not supported on an xconnect VLAN VNI.

• Xconnect is not supported on the following switches:

  • Cisco Nexus 9504

  • Cisco Nexus 9508

  • Cisco Nexus 9516

• Scale of xconnect VLANs depends on the number of ports available on the switch. Every xconnect VLAN can tunnel all 4k customer VLANs.

• Xconnect or Crossconnect feature on vpc-vtep needs backup-svi as native VLAN on the vPC peer-link.

• Make sure that the NGOAM xconnect hb-interval is set to 5000 milliseconds on all VTEPs before attempting ISSU/patch activation to avoid link flaps.

• Before activating the patch for the cfs process, you must move the NGOAM xconnect hb-interval to the maximum value of 5000 milliseconds. This prevents interface flaps during the patch activation.

• The vPC orphan tunneled port per VNI should be either on the vPC primary switch or secondary switch, but not both.

• Configuring a static MAC on xconnect tunnel interfaces is not supported.

• xconnect is not supported on FEX ports.

• On vpc-vtep, spanning tree must be disabled on both vPC peers for xconnect VLANs.

• Xconnect access ports need to be flapped after disabling NGOAM on all the VTEPs.

• After deleting and adding a VLAN, or removing xconnect from a VLAN, physical ports need to be flapped with NGOAM.

• VXLAN Cross Connect is not supported as part of multi-site solution.

To display the status for the VXLAN Cross Connect configuration, enter one of the following commands:

Example of the show run vlan 503 command:

switch(config)# sh run vlan 503
 
!Command: show running-config vlan 503
!Running configuration last done at: Mon Jul  9 13:46:03 2018
!Time: Tue Jul 10 14:12:04 2018
 
version 9.2(1) Bios:version 07.64
vlan 503
vlan 503
  vn-segment 5503
  xconnect

Example of the show nve vni 5503 command:

switch(config)# sh nve vni 5503
Codes: CP - Control Plane        DP - Data Plane         
       UC - Unconfigured         SA - Suppress ARP       
       SU - Suppress Unknown Unicast
Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5503     225.5.0.3         Up    CP   L2 [503]           SA       Xconn

Example of the show nve vni command:

switch(config)# sh nve vni
Codes: CP - Control Plane        DP - Data Plane         
       UC - Unconfigured         SA - Suppress ARP       
       SU - Suppress Unknown Unicast
Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5501     225.5.0.1         Up    CP   L2 [501]           SA        
nve1      5502     225.5.0.2         Up    CP   L2 [502]           SA        
nve1      5503     225.5.0.3         Up    CP   L2 [503]           SA       Xconn
nve1      5504     UnicastBGP        Up    CP   L2 [504]           SA       Xconn
nve1      5505     225.5.0.5         Up    CP   L2 [505]           SA       Xconn
nve1      5506     UnicastBGP        Up    CP   L2 [506]           SA       Xconn
nve1      5507     225.5.0.7         Up    CP   L2 [507]           SA       Xconn
nve1      5510     225.5.0.10        Up    CP   L2 [510]           SA       Xconn
nve1      5511     225.5.0.11        Up    CP   L2 [511]           SA       Xconn
nve1      5512     225.5.0.12        Up    CP   L2 [512]           SA       Xconn
nve1      5513     UnicastBGP        Up    CP   L2 [513]           SA       Xconn
nve1      5514     225.5.0.14        Up    CP   L2 [514]           SA       Xconn
nve1      5515     UnicastBGP        Up    CP   L2 [515]           SA       Xconn
nve1      5516     UnicastBGP        Up    CP   L2 [516]           SA       Xconn
nve1      5517     UnicastBGP        Up    CP   L2 [517]           SA       Xconn
nve1      5518     UnicastBGP        Up    CP   L2 [518]           SA       Xconn

To display the NGOAM status for the VXLAN Cross Connect configuration, enter one of the following commands:

Example of the show ngoam xconnect session all command:

switch(config)# sh ngoam xconnect session all
 
States: LD = Local interface down, RD = Remote interface Down
          HB = Heartbeat lost, DB = Database/Routes not present
          * - Showing Vpc-peer interface info
Vlan          Peer-ip/vni      XC-State       Local-if/State    Rmt-if/State
===============================================================================
507       6.6.6.6 /  5507      Active        Eth1/7 / UP        Eth1/5 / UP
508       7.7.7.7 /  5508      Active        Eth1/8 / UP        Eth1/5 / UP
509       7.7.7.7 /  5509      Active        Eth1/9 / UP        Eth1/9 / UP
510       6.6.6.6 /  5510      Active         Po303 / UP         Po103 / UP
513       6.6.6.6 /  5513      Active        Eth1/6 / UP        Eth1/8 / UP

Example of the show ngoam xconnect session 507 command:

switch(config)# sh ngoam xconnect session 507
Vlan ID: 507
Peer IP: 6.6.6.6  VNI : 5507
State: Active
Last state update: 07/09/2018 13:47:03.849
Local interface: Eth1/7  State:  UP
Local vpc interface Unknown  State:  DOWN
Remote interface: Eth1/5  State:  UP
Remote vpc interface: Unknown  State:  DOWN
switch(config)#

Q-in-VNI has the following guidelines and limitations:

• Q-in-VNI and selective Q-in-VNI are supported with VXLAN Flood and Learn with Ingress Replication and VXLAN EVPN with Ingress Replication.

• Q-in-VNI, selective Q-in-VNI, and QinQ-QinVNI are not supported with the multicast underlay on Cisco Nexus 9000-EX platform switches.

• The system dot1q-tunnel transit command is required when running this feature on vPC VTEPs.

• Port VLAN mapping and Q-in-VNI cannot coexist on the same port.

• Port VLAN mapping and Q-in-VNI cannot coexist on a switch if the system dot1q-tunnel transit command is enabled.

• For proper operation during L3 uplink failure scenarios on vPC VTEPs, configure a backup SVI and enter the system nve infra-vlans backup-svi-vlan command. On Cisco Nexus 9000-EX platform switches, the backup SVI VLAN needs to be the native VLAN on the peer-link.

• Q-in-VNI only supports VXLAN bridging. It does not support VXLAN routing.

• The dot1q tunnel mode does not support ALE ports on Cisco Nexus 9300 Series and Cisco Nexus 9500 platform switches.

• Q-in-VNI does not support FEX.

• When configuring access ports and trunk ports for Cisco Nexus 9000 Series switches with a Network Forwarding Engine (NFE) or a Leaf Spine Engine (LSE), you can have access ports, trunk ports, and dot1q ports on different interfaces on the same switch.

• You cannot have the same VLAN configured for both dot1q and trunk ports/access ports.

• Disable ARP suppression on the provider VNI for ARP traffic originated from a customer VLAN in order to flow.

  switch(config)# interface nve 1
  switch(config-if-nve)# member VNI 10000011
  switch(config-if-nve-vni)# no suppress-arp

• Cisco Nexus 9300 platform switches support single tag. You can enable it by entering the no overlay-encapsulation vxlan-with-tag command for the NVE interface:

  switch(config)# interface nve 1
  switch(config-if-nve)# no overlay-encapsulation vxlan-with-tag
  switch# show run int nve 1
   		
  !Command: show running-config interface nve1
  !Time: Wed Jul 20 23:26:25 2016
   
  version 7.0(3u)I4(2u)
   
  interface nve1
    no shutdown
    source-interface loopback0
    host-reachability protocol bgp
    member vni 900001 associate-vrf
    member vni 2000980
      mcast-group 225.4.0.1
  
  

• Cisco Nexus 9500 platform switches do not support single tag. They support only double tag.

• Cisco Nexus 9300-EX platform switches do not support double tag. They support only single tag.

• Cisco Nexus 9300-EX platform switches do not support traffic between ports configured for Q-in-VNI and ports configured for trunk.

• Q-in-VNI cannot coexist with a VTEP that has Layer 3 subinterfaces configured.

• When VLAN1 is configured as the native VLAN with selective Q-in-VNI with the multiple provider tag, traffic on the native VLAN gets dropped. Do not configure VLAN1 as the native VLAN when the port is configured with selective Q-in-VNI. When VLAN1 is configured as a customer VLAN, the traffic on VLAN1 gets dropped.

• The base port mode must be a dot1q tunnel port with an access VLAN configured.

• VNI mapping is required for the access VLAN on the port.

• If you have Q-in-VNI on one Cisco Nexus 9300-EX Series switch VTEP and trunk on another Cisco Nexus 9300-EX Series switch VTEP, the bidirectional traffic will not be sent between the two ports.

• Cisco Nexus 9300-EX Series of switches performing VXLAN and Q-in-Q, a mix of provider interface and VXLAN uplinks is not considered. The VXLAN uplinks have to be separated from the Q-in-Q provider or customer interface.

  For vPC use cases, the following considerations must be made when VXLAN and Q-in-Q are used on the same switch.

  • The vPC peer-link has to be specifically configured as a provider interface to ensure orphan-to-orphan port communication. In these cases, the traffic is sent with two IEEE 802.1q tags (double dot1q tagging). The inner dot1q is the customer VLAN ID while the outer dot1q is the provider VLAN ID (access VLAN).

  • The vPC peer-link is used as backup path for the VXLAN encapsulated traffic in the case of an uplink failure. In Q-in-Q, the vPC peer-link also acts as the provider interface (orphan-to-orphan port communication). In this combination, use the native VLAN as the backup VLAN for traffic to handle uplink failure scenarios. Also make sure the backup VLAN is configured as a system infra VLAN (system nve infra-vlans).

• Q-in-VNI does not support vPC Fabric Peering.

• BPDU filter is required for Selective Q-in-VNI, as we do not support tunneling STP BPDU.

Selective Q-in-VNI with multiple provider VLANs has the following guidelines and limitations:

• All the existing guidelines and limitations for Selective Q-in-VNI apply.

• This feature is supported with VXLAN BGP EVPN IR mode only.

• When enabling multiple provider VLANs on a vPC port channel, make sure that the configuration is consistent across the vPC peers.

• Port VLAN mapping and selective Q-in-VNI cannot coexist on the same port.

• Port VLAN mapping and selective Q-in-VNI cannot coexist on a switch if the system dot1q-tunnel transit command is enabled.

• The system dot1q-tunnel transit command is required when using this feature on vPC VTEPs.

• For proper operation during Layer 3 uplink failure scenarios on vPC VTEPs, configure the backup SVI and enter the system nve infra-vlans backup-svi-vlan command. On Cisco Nexus 9000-EX platform switches, the backup SVI VLAN must be the native VLAN on the peer-link.

• As a best practice, do not allow provider VLANs on a regular trunk.

• We recommend not creating or allowing customer VLANs on the switch where customer-VLAN to provider-VLAN mapping is configured.

• We do not support specific native VLAN configuration when the switchport vlan mapping all dot1q-tunnel command is entered.

• Selective Q-in-VNI with a multiple provider tag does not support vPC Fabric Peering.

• Disable ARP suppression on the provider VNI for ARP traffic originated from a customer VLAN in order to flow.

  switch(config)# interface nve 1
  switch(config-if-nve)# member VNI 10000011
  switch(config-if-nve-vni)# no suppress-arp

• All incoming traffic should be tagged when the interface is configured with the switchport vlan mapping all dot1q-tunnel command.

QinQ-QinVNI has the following guidelines and limitations:

• This feature is supported on the Cisco Nexus 9300-FX/FX2 switches.

• This feature supports vPC Fabric Peering, beginning with Cisco NX-OS Release 9.2(3). For more information, see the Configuring vPC Fabric Peering chapter.

• On a multi-tag port, provider VLANs must be a part of the port. They are used to derive the VNI for that packet.

• Untagged packets are associated with the native VLAN. If the native VLAN is not configured, the packet is associated with the default VLAN (VLAN 1).

• Packets coming in with an outermost VLAN tag (provider-vlan), not present in the range of allowed VLANs on a multi-tag port, are dropped.

• Packets coming in with an outermost VLAN tag (provider-vlan) tag matching the native VLAN are routed or bridged in the native VLAN's domain.

• This feature is supported with VXLAN bridging. It does not support VXLAN routing.

• Multicast data traffic with more than two Q-Tags in not supported when snooping in enabled on the VXLAN VLAN.

• You need at least one multi-tag trunk port allowing the provider VLANs in up state on both the vPC peers. Otherwise, traffic traversing via the peer-link for these provider VLANs will not carry all inner C-Tags.