• Selective Q-in-VNI and Q-in-VNI with VLAN mapping are not supported in this release.

• The dot1q-tunnel switchport mode access VLAN ID (S-VLAN) must be unique and should not be assigned to trunk VLAN ID (C-VLAN).

• Layer 2 Protocol Tunneling (L2PT) is not supported on an 802.1Q tunnel port that is mapped for BGP EVPN Layer 2 fabric network extension.

• BGP EVPN Layer 3 IP Routing function is not supported on those VLANs that are mapped to 802.1Q tunnel port.

• Overlapping MAC entry between multiple C-VLANs under a single EVPN-mapped S-VLAN is not supported.

Enterprise campus, data centers, and service provider networks are often required to become a carrier network and provide transparent Layer 2 bridging between statically assigned physical Layer 2 trunk interfaces. Such networks have specific requirements for VLAN IDs and the number of VLANs to be supported. The VLAN ranges required by different customers in the same service provider network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer would restrict the customer configurations and could easily exceed the VLAN limit (4094) specified by the IEEE 802.1Q standard.

Using the Q-in-VNI feature, service providers can use a single VLAN (S-VLAN) to support customers who have multiple VLANs (C-VLAN). Each customer's VLAN IDs are preserved, and traffic from different customers is segregated within the service provider network, though they appear to be in the same VLAN. Deploying IEEE 802.1Q tunneling expands the VLAN space by using a VLAN-in-VLAN hierarchy and retagging the tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. When tunneling is configured, a tunnel port is assigned to a VLAN ID that is dedicated to tunneling. Each customer is provided with a unique service provider VLAN ID that supports all the VLANs of the customer.

Q-in-VNI in a BGP EVPN VXLAN Fabric

Using the Q-in-VNI feature, a service provider can provide Layer 2 overlay services by mapping the S-VLAN to the Layer 2 VNI. This allows the service providers to address their business customers' Layer 2 connectivity requirements with BGP EVPN VXLAN between the campus sites or a data center.

Enterprise customers can also deploy the Q-in-VNI feature within a single site by mapping the traffic from multiple Layer 2 segments into a specific S-VLAN with EVPN EVI enabled, and with the following criteria:

• The site is bounded by the number of L2VNI overlay segments that are supported by a specific Cisco Catalyst 9000 series switch.

• VLAN segments are symmetric across the fabric edges.

Note	When the Q-in-VNI Layer 2 overlay service with the S-VLAN mapped to an EVPN Instance (also known as MAC VRF) is deployed, the end host MAC routes (RT2) belonging to all the C-VLANs are maintained in a single bridge table corresponding to the S-VLAN.

In a BGP EVPN VXLAN fabric with Layer 2 interfaces that have trunk port configuration (Figure), the ingress VTEP strips the IEEE 802.1Q tag and encapsulates a Layer 2 packet with a VXLAN header and forwards the packet to the destination. At the egress VTEP, the packet is decapsulated and L2VNI is mapped to the corresponding VLAN. If the egress port is a trunk port, the corresponding VLAN ID is populated in the IEEE 802.1Q header, and the packet is sent out of the fabric.

When Q-in-VNI is configured (example topology shown below), customer traffic from C-VLAN with a VLAN ID of 10 is forwarded to the EVPN VXLAN overlay network. The ingress VTEP port in the overlay network is configured as a Q-in-VNI port with a provider VLAN 101 and a unique Layer 2 VNI of 1001. When a packet enters the Q-in-VNI tunnel port on the edge device, it is encapsulated with an outer VXLAN header containing the VNI 1001 (the original inner header with a VLAN 10 is retained). At the Egress VTEP, the packet is forwarded to the correct Q-in-VNI port, based on the matching provider VLAN 101 that is derived from Layer 2 VNI. At the outbound tunnel port, the packet is transmitted with the original C-VLAN tag.