This chapter describes how to configure IEEE 802.1Q-in-Q VLAN tunnels and Layer 2 protocol tunneling on Cisco NX-OS devices.

This chapter describes how to configure IEEE 802.1Q-in-Q VLAN tunnels and Layer 2 protocol tunneling on Cisco NX-OS devices (7.0(3)F3(4), 7.0(3)I2(1) and later).

A Q-in-Q VLAN tunnel enables a service provider to segregate the traffic of different customers in their infrastructure, while still giving the customer a full range of VLANs for their internal use by adding a second 802.1Q tag to an already tagged frame.

Q-in-Q tunnels and Layer 2 tunneling have the following configuration guidelines and limitations:

• Q-in-Q should be configured on the customer-facing interface of the service provider’s edge device. If an Ethernet frame ingresses a Cisco Nexus 9000 series switch, the switch cannot encapsulate the frame with two 802.1Q headers within a single forwarding decision. Similarly, if a Q-in-Q-encapsulated Ethernet frame needs to egress a Cisco Nexus 9000 series switch without any 802.1Q headers, the switch cannot decapsulate two 802.1Q headers from the Ethernet frame within a single forwarding decision.

• Mapping multiple VLANs is supported.

• Multi-tagged BPDUs are supported on the Cisco Nexus 93108TC-EX and 93180YC-EX switches. We support up to three tags.

• Selective Q-in-Q tunneling is not supported with multi-tagged BPDU.

• Only multi-tagged CDP and STP BPDUs are supported.

• The inner-most tag must always be 0x8100.

• Multiple selective Q-in-Q tags are not supported. That is, Q-in-Q does not support multiple SP tags on a single interface.

• Switches in the service-provider network must be configured to handle the increase in MTU size due to Q-in-Q tagging.

• MAC address learning for Q-in-Q tagged packets is based on the outer VLAN (Service Provider VLAN) tag. Packet forwarding issues might occur in deployments where a single MAC address is used across multiple inner (customer) VLANs.

• Layer 3 and higher parameters cannot be identified in tunnel traffic (for example, Layer 3 destination and source addresses). Tunneled traffic cannot be routed.

• The system dot1q-tunnel transit or system dot1q-tunnel transit vlan provider_vlan_list command have the following limitations:

  • These commands are required on Cisco Nexus 9300-EX/FX/FX2/FX3/GX/GX2 switches and 9500 switches with 9700-EX/FX/GX line cards if the device is configured with Q-in-Q, Selective Q-in-Q or Selective Q-in-Q with multiple provider VLAN features.

  • It is required that you configure the system dot1q-tunnel transit or system dot1q-tunnel transit vlan provider_vlan_list command on ToR or modular devices. Beginning with Cisco NX-OS Release 9.3(5), the system dot1q-tunnel transit vlan provider_vlan_list command is supported.

  • It is required that you configure the system dot1q-tunnel transit or the system dot1q-tunnel transit vlan provider_vlan_list command on vPC switches or non-vPC switches.

  • Layer 2 frames that exit trunk ports will always be tagged, even with the native VLAN of the port if these commands have been configured.

  • The MPLS, GRE, and IP-in-IP functionalities will not function effectively in conjunction with the Q-in-Q tunneling features if these commands have been configured on the switch.

• Cisco Nexus 9000 Series devices can provide only MAC-layer ACL/QoS for tunnel traffic (VLAN IDs and src/dest MAC addresses).

• You should use MAC address-based frame distribution.

• Asymmetrical links do not support the Dynamic Trunking Protocol (DTP) because only one port on the link is a trunk. You must configure the 802.1Q trunk port on an asymmetrical link to trunk unconditionally.

• You cannot configure the 802.1Q tunneling feature on ports that are configured to support private VLANs. Private VLAN are not required in these deployments.

• You must disable IGMP snooping on the tunnel VLANs.

• You should enter the vlan dot1Q tag native command to maintain the tagging on the native VLAN and drop untagged traffic. This command prevents native VLAN misconfigurations.

• You must manually configure the 802.1Q interfaces to be edge ports.

• IGMP snooping is not supported on the inner VLAN.

• Q-in-Q is not supported on the uplink ports of Cisco Nexus 9332PQ, 9372PX, 9372TX, and 93120TX switches and Cisco Nexus 9396PX, 9396TX, and 93128TX switches with the N9K-M6PQ or N9K-M12PQ generic expansion module (GEM).

• Q-in-Q tunnels might be affected by the limitations of the Application Leaf Engine (ALE) uplink ports on Cisco Nexus 9300 and 9500 Series devices: Limitations for ALE Uplink Ports

• Q-in-Q tunneling is not supported on the following Application Spine Engine 2 (ASE2) and Application Spine Engine 3 (ASE3) based Cisco Nexus switches.

  • ASE2 - N9236C, N9272Q, N92304QC, and N92300Y

  • ASE3 - N92160YC-X

• Layer 2 protocol tunnelling with Link Aggregation Control Protocol (LACP) is not supported.

• Q-in-Q tagging is not supported.

• Layer 2 protocol tunneling is not supported on Cisco Nexus 9500 Series switches with N9K-X9636C-R, N9K-X9636Q-R, N9K-X9636C-RX line cards.

• Cisco Nexus 9500 Series switches with N9K-X9636C-R, N9K-X9636Q-R, N9K-X9636C-RX line cards, Q-in-Q is supported only on port or port-channel Layer 2 Access VLAN Edge devices.

• FEX configuration is not supported on Q-in-Q ports.

• If the command l2potocol tunnel stp is configured on a tunnel interface, the VLAN that you configure on the service provider must be different from that of the customer network.

• When you trigger Fallback ISSU on edge devices with L2PT tunneling of LACP, the edge device will do the tunnelling (encapsulation and send) in software. If the control plane downtime of the edge device during ISSU is more than 90 seconds, LACP enabled peers connected to any of the edge devices can flap due to LACP PDU timeout on either of the LACP enabled peers. The duration of 90 seconds limit is due to:

  • There are no special scripts running on the edge device with L2PT tunneling to send LACP PDUs right before control plane goes down due to ISSU.

  • The last LACP PDU seen on edge device can be between the last 90 seconds before ISSU is triggered. This is because the default LACP PDU transmits rate is 30 seconds and with 90 seconds of timeout.

• For selective Q-in-Q with multiple provider VLANs, all the existing limitations and guidelines for selective Q-in-Q apply.

• Beginning with Cisco NX-OS Release 9.3(5), selective Q-in-Q with multiple provider VLANs feature is supported on Cisco Nexus N9K-C9316D-GX, N9K-C93600CD-GX, N9K-C9364C-GX switches.

• Selective Q-in-Q with multiple provider VLANs feature is supported on Nexus 9300-EX, 9300-FX, 9300-FX2, 9300-FX3, 9332D-H2R and 93400LD-H1 switches.

• When you enable multiple provider VLANs on a vPC port channel, you must make sure that the configuration is consistent across the vPC peers.

• We recommend enabling “system dot1q tunnel transit” when running selective Q-in-Q with multiple provider VLAN features on a vPC setup.

• We recommended not to allow provider VLANs on a regular trunk.

• Only allow native VLANs and provider VLANs on the trunk interface allowed VLAN list of a multiple provider VLAN interface.

• Port to VLAN mappings (for example: switchport vlan mapping 10 20) is not supported on a port that is configured for selective Q-in-Q with multiple provider VLANs.

• Private VLAN is not supported on a port that is configured for selective Q-in-Q with multiple provider VLANs.

• Only Layer 2 switching is supported.

• Routing on provider VLANs is not supported.

• FEX is not supported for selective Q-in-Q with multiple provider VLANs.

• Selective Q-in-Q with multiple provider VLANs commands not DME-ized

• When VLAN1 is configured as native VLAN with selective Q-in-Q and selective Q-in-Q with multiple provider tag, traffic on the native VLAN gets dropped. Do not configure VLAN1 as native VLAN when the port is configured with the selective Q-in-Q. When VLAN1 is configured as customer VLAN, then the traffic on VLAN1 gets dropped.

The following are the guidelines and Limitations for Port VLAN Mapping:

• Beginning with Cisco NX-OS Release 10.3(3)F, Port VLAN mapping on VLANs is supported on Cisco Nexus 9300-EX/FX/FX2/FX3/GX/GX2, C9408 platform switches and Cisco Nexus 9500 switches with 9700-EX/FX/GX line cards.

• Beginning with Cisco NX-OS Release 10.4(1)F, Port VLAN mapping on VLANs is supported on Cisco Nexus 9332D-H2R switch.

• Beginning with Cisco NX-OS Release 10.4(2)F, Port VLAN mapping on VLANs is supported on Cisco Nexus 93400LD-H1 switch.

• The ingress (incoming) VLAN does not need to be configured on the switch as a VLAN. The translated VLAN must be configured.

• All Layer 2 source address learning and Layer 2 MAC destination lookup occurs on the translated VLAN. See the VLAN counters on the translated VLAN and not on the ingress (incoming) VLAN.

• Port VLAN mapping routing supports configuring an SVI on the translated VLAN.

• The following example shows incoming VLAN 10 being mapped to local VLAN 100:

  interface ethernet1/1
  switchport vlan mapping 10 100

• The following is an example of overlapping VLAN for PV translation. In the first statement, VLAN-102 is a translated VLAN. In the second statement, VLAN-102 the VLAN where it is translated to VLAN-103:

  interface ethernet1/1
  switchport vlan mapping 101 102
  switchport vlan mapping 102 103

• When adding a member to an existing port channel using the force command, the "mapping enable" configuration must be consistent. For example:

  Int po 101
  switchport vlan mapping enable
  switchport vlan mapping 101 10
  switchport trunk allowed vlan 10
   
  int eth 1/8
  /***No configuration***/

  Note	The switchport VLAN mapping enable command is supported only when the port mode is trunk.

• VLAN mapping helps with VLAN localization to a port, scoping the VLANs per port. A typical use case is in the service provider environment where the service provider leaf switch has different customers with overlapping VLANs that come in on different ports. For example, customer A has VLAN 10 coming in on Eth 1/1 and customer B has VLAN 10 coming in on Eth 2/2.

• Port VLAN mapping does not coexist with PVLAN.

• If the inherit port-profile command is configured on a PV interface, use the no inherit port-profile <profile name> command to detach and then execute the no switchport vlan mapping all command.

• If the system dot1q-tunnel transit vlan provider_vlan_list command is globally configured on the switch, do not set the provider VLAN as the native or access port VLAN for any other trunk or access port on the system. It is expected to choose provider VLANs other than the native VLANs on the system.