Solved: ACI connectivity to Access Point autonomous

nexus13213 · ‎08-02-2017

Hi,

Can i make trunk native port on ACI ?

I have a connection problem between leaf with autonomous Access Point.

How can i make a configuration like this in ACI ?


 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20
 switchport mode trunk

Without native i cannot access the BVI IP.

thanks

RedNectar · ‎08-02-2017

Hi nexus13213@gmail.com,

The closest equivalent of a native VLAN in ACI is disguised as 802.1p. The following is cut-and-pasted from the Cisco Application Infrastructure Fundamentals book

Native 802.1p and Tagged EPGs

Follow these guidelines to assure that devices that require untagged packets operate as expected when they are connected to access ports of an ACI leaf switch.

When an access port is configured with a single EPG in native 802.1p mode, its packets exit that port untagged.

When an access port is configured with multiple EPGs, one in native 802.1p mode and some with VLAN tags, all packets exiting that access port are tagged in the following manner on the following Cisco Nexus N9K switches:

N9K-C9396PX
N9K-C93128TX
N9K-C9372PX
N9K-C9372TX
N9K-C9372PX-E
N9K-C9372TX-E
N9K-C93120TX
N9K-C9332PQ

Packets on the native VLAN exit the access port tagged as VLAN zero.

Packets from other EPGs exit with their respective VLAN tags.

Note

Certain older network interface cards (NICs) that send traffic on the native VLAN untagged, drop return traffic that is tagged as VLAN 0. This is normally only a problem on interfaces configured as trunk ports. However, if an Attachable Entity Profile (AEP) for an access port is configured to carry the infra VLAN, then it is treated as a trunk port, even though it is confugred as an access port. In these circumstances, packets sent on the native VLAN from the switch with NFE will be tagged as VLAN 0, and older switch NICs may drop them. Options to address this issue include:

Removing the infra VLAN from the AEP.
Configuring "port local scope" on the port. This enables per-port VLAN definition and allows the switch equipped with NFE to send packets on the native VLAN, untagged.

On switch hardware that is capable of running in ACI mode, other than the models listed above, the 802.1p-mode EPG packets on the native VLAN exit the access port untagged and packets from other EPGs exit with their respective VLAN tags.

When configuring QoS for an EPG, the default value is QoS Class 3. When configuring QoS in a contract, the QoS class must be explicitly set. The QoS tagging explicitly specified in a contract takes precedence over the default EPG QoS tagging.

Note

For any access port, only one native 802.1p EPG is allowed, or only one untagged EPG is allowed. It can be one or the other but not both.

When an EPG is deployed as untagged, do not deploy that EPG as tagged on other ports of the same switch.

*************************

So what does that all mean?

Assuming that VLAN 10 and VLAN 20 are two different EPGs, it means that you should configure the port that connects to the autonomous access point like this:

Make sure you have an Access Policy Chain configured that includes a VLAN Pool with VLAN 10 and VLAN 20, and is linked via a Physical Domain (lets call it AP.VLANs-VLAN.Pool) to an AEP that is linked to an Access Port Policy Group that is linked to an Interface Selector/Interface Profile/Leaf Profile combination that defines the port (lets call it port 10n/1/x) where the autonomous access point connects.
for the EPG that represents VLAN 20, make sure you

Link it to the AP.VLANs-VLAN.Pool
Configure a static mapping to port 10n/1/x as a trunk port using vlan-20

for the EPG that represents VLAN 10, make sure you

Link it to the AP.VLANs-VLAN.Pool
Configure a static mapping to port 10n/1/x as a 802.1p port using vlan-10

The Bottom Line

What this will do is make ACI send packets for VLAN 10 with a VLAN tag of 0. That should be good for the AP to recognise the frame as on the native VLAN, BUT if the AP has a problem reading frames with a VLAN tag of 0, you could try setting the Per-Port VLAN attribute on the Access Port Policy Group.

I hope this helps

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎08-02-2017

Hi nexus13213@gmail.com,

The closest equivalent of a native VLAN in ACI is disguised as 802.1p. The following is cut-and-pasted from the Cisco Application Infrastructure Fundamentals book

Native 802.1p and Tagged EPGs

Follow these guidelines to assure that devices that require untagged packets operate as expected when they are connected to access ports of an ACI leaf switch.

When an access port is configured with a single EPG in native 802.1p mode, its packets exit that port untagged.

When an access port is configured with multiple EPGs, one in native 802.1p mode and some with VLAN tags, all packets exiting that access port are tagged in the following manner on the following Cisco Nexus N9K switches:

N9K-C9396PX
N9K-C93128TX
N9K-C9372PX
N9K-C9372TX
N9K-C9372PX-E
N9K-C9372TX-E
N9K-C93120TX
N9K-C9332PQ

Packets on the native VLAN exit the access port tagged as VLAN zero.

Packets from other EPGs exit with their respective VLAN tags.

Note

Certain older network interface cards (NICs) that send traffic on the native VLAN untagged, drop return traffic that is tagged as VLAN 0. This is normally only a problem on interfaces configured as trunk ports. However, if an Attachable Entity Profile (AEP) for an access port is configured to carry the infra VLAN, then it is treated as a trunk port, even though it is confugred as an access port. In these circumstances, packets sent on the native VLAN from the switch with NFE will be tagged as VLAN 0, and older switch NICs may drop them. Options to address this issue include:

Removing the infra VLAN from the AEP.
Configuring "port local scope" on the port. This enables per-port VLAN definition and allows the switch equipped with NFE to send packets on the native VLAN, untagged.

On switch hardware that is capable of running in ACI mode, other than the models listed above, the 802.1p-mode EPG packets on the native VLAN exit the access port untagged and packets from other EPGs exit with their respective VLAN tags.

When configuring QoS for an EPG, the default value is QoS Class 3. When configuring QoS in a contract, the QoS class must be explicitly set. The QoS tagging explicitly specified in a contract takes precedence over the default EPG QoS tagging.

Note

For any access port, only one native 802.1p EPG is allowed, or only one untagged EPG is allowed. It can be one or the other but not both.

When an EPG is deployed as untagged, do not deploy that EPG as tagged on other ports of the same switch.

*************************

So what does that all mean?

Assuming that VLAN 10 and VLAN 20 are two different EPGs, it means that you should configure the port that connects to the autonomous access point like this:

Make sure you have an Access Policy Chain configured that includes a VLAN Pool with VLAN 10 and VLAN 20, and is linked via a Physical Domain (lets call it AP.VLANs-VLAN.Pool) to an AEP that is linked to an Access Port Policy Group that is linked to an Interface Selector/Interface Profile/Leaf Profile combination that defines the port (lets call it port 10n/1/x) where the autonomous access point connects.
for the EPG that represents VLAN 20, make sure you

Link it to the AP.VLANs-VLAN.Pool
Configure a static mapping to port 10n/1/x as a trunk port using vlan-20

for the EPG that represents VLAN 10, make sure you

Link it to the AP.VLANs-VLAN.Pool
Configure a static mapping to port 10n/1/x as a 802.1p port using vlan-10

The Bottom Line

What this will do is make ACI send packets for VLAN 10 with a VLAN tag of 0. That should be good for the AP to recognise the frame as on the native VLAN, BUT if the AP has a problem reading frames with a VLAN tag of 0, you could try setting the Per-Port VLAN attribute on the Access Port Policy Group.

I hope this helps

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

nexus13213 · ‎08-02-2017

Hi Chris,

I've tried with 802.1p access vlan 10, it works, I can access BVI IP.

but when i add the vlan trunk 20 on the other epg, i lost the connection to the BVI IP.

any suggestion Chris ?

thanks

nexus13213 · ‎08-09-2017

Hi Chris,

I have Configured "port local scope" on the port, And that solves the problem.

thanks Chris.

RedNectar · ‎08-09-2017

Glad it worked!

RedNectar
aka Chris Welsh

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.