Solved: VLAN Tagging and untagging on the same leaf switch?

SIMMN · ‎10-30-2019

I remember I saw this somewhere in Cisco documents before that " the same leaf switch can not be doing VLAN tagging and untagging at the same time". But I can not find the reference anymore...

Wonder if anyone could help confirm the limitation/restriction or provide a quick reference?

A migration use case: There is a bera metal server connected to port 1 of the CE switch 1 as Access VLAN 100 and a ESXi host connects to the port 2 of the CE switch 1 as trunk. When configuring ACI to migrate from CE, Can I still configure ACI Leaf101 port 1 as access VLAN 100 while configure the ACI Leaf101 port 2 as trunk?

stcorry · ‎10-30-2019

I was trying to find a doc that states this, but that is proving harder than I thought. Will post if I find that.

The restriction is more for EPGs. For VLANs you could potentially use a different VLAN in the same EPG for a different Leaf or rather a different VPC domain (as VPC is typically deployed).

So you could have something like this:

Leaf 1 Port 1: 802.1p Untagged EPG VLAN 100

Leaf 1 Port 2: 802.1q Tagged EPG VLAN 100

Leaf 1 Port 2: 802.1q Tagged EPG VLAN 101

View solution in original post

SIMMN · ‎10-31-2019

I think I found the reference. It is a combination of limitation on the old APIC software and Gen 1 leaf switch...

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010001.html#concept_450C8C73C1DE4A4EAF6390E862BD9952

Also for ver 4.2 if anyone needs it.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci-fundamentals/Cisco-ACI-Fundamentals-42x/Cisco-ACI-Fundamentals-41X_chapter_011.html#concept_450C8C73C1DE4A4EAF6390E862BD9952

View solution in original post

Curtis Parish · ‎10-30-2019

You can't have the same VLAN-ID tagged and untagged on the same leaf. In practice, we have two VLAN-IDs in the VLAN pool for each VLAN and use one for when the port needs to be tagged and the other for when it does not. So 1050 may be the tagged VLAN-ID and 1051 the untagged VLAN-ID.

SIMMN · ‎10-30-2019

Not necessary the same VLAN-ID. I understand the same VLAN ID can not be used for multiple EPGs but Can I have Leaf101 port 1 as untagged/access VLAN 100 and Leaf101 port 2 as trunk for VLAN 10-20?

stcorry · ‎10-30-2019

Hello!

Yes, you can do that. I am not sure if it was the same document reference, but it is actually something more like: You cannot do 'Tagged' and 'Untagged Access' in the same EPG on the same Leaf switch. What you can do is have 'Tagged' and '802.1p Access' in the same EPG on the same Leaf with no problem, this is effectively the same thing.

SIMMN · ‎10-30-2019

Thanks, that might be the one...Do you have the link handy?

Also does not restriction only applies to the same VLAN or also different VLANs?

stcorry · ‎10-30-2019

I was trying to find a doc that states this, but that is proving harder than I thought. Will post if I find that.

The restriction is more for EPGs. For VLANs you could potentially use a different VLAN in the same EPG for a different Leaf or rather a different VPC domain (as VPC is typically deployed).

So you could have something like this:

Leaf 1 Port 1: 802.1p Untagged EPG VLAN 100

Leaf 1 Port 2: 802.1q Tagged EPG VLAN 100

Leaf 1 Port 2: 802.1q Tagged EPG VLAN 101

SIMMN · ‎10-31-2019

I think I found the reference. It is a combination of limitation on the old APIC software and Gen 1 leaf switch...

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010001.html#concept_450C8C73C1DE4A4EAF6390E862BD9952

Also for ver 4.2 if anyone needs it.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci-fundamentals/Cisco-ACI-Fundamentals-42x/Cisco-ACI-Fundamentals-41X_chapter_011.html#concept_450C8C73C1DE4A4EAF6390E862BD9952

RedNectar · ‎10-30-2019

Forgive me for not repeating stuff I've written about before, and double forgiveness begged if this is not useful. I've cut and pasted the following from:

https://rednectar.net/2016/12/11/cisco-aci-per-port-vlan-feature/

By default Cisco ACI Leaf switches consider every VLAN tag on a particular switch to identify a particular EPG.

Recall from my earlier tutorials, that Cisco ACI does not use VLAN tags to identify VLANs in the traditional sense, but rather it looks at a VLAN tag on an incoming frame to determine what source End Point Group (EPG) is to be used in determining the policy for this frame.

This means that if you needed to use say VLAN tag 1000 to identify EPG1 when traffic arrives at interface Ethernet 1/21, but also use VLAN tag 1000 to identify EPG2 if traffic arrives on interface Ethernet 1/22, the default settings will need to be changed.

I recently I had a situation where traffic had to be tunneled through a transparent device (an IPS), so each interface of the device was allocated to a different EPG and different Bridge Domains. The problem was, the same VLAN has to be used on the ingress side as on the egress side, so both EPGs had to be allocated the same VLAN mapping. The customer had already tried configuring the ports, but kept getting a “Configuration
failed for … due to Encap Already Used in Another EPG” error, so I looked to use the Per Port VLAN feature to rescue them.

Physical Layout of IPS and Leaf Switch

It turned out that the configuration was not quite as straightforward as I expected. Here is what I did:

First I created a VLAN Scope Policy – or as Cisco has poorly named it, a L2 Interface Policy.

Note: The following menu sequences are for an admin user operating in Advanced mode. >+ means right-click and choose..

FABRIC > ACCESS POLICIES > Policies > Interface Policies > Policies > L2 Interface >+ Create L2 Interface Policy.

Name: PerPort-VLAN.Scope
Scope: Port Local Scope

Then I created two VLAN Pools. I had initially tried to use the same VLAN Pool, the same Physical Domain and the same Access Port Policy Groups (APPGs) for each of the two interfaces, but it seems that the L2 Interface Policy requires that when applied to two different EPGs on the same switch, those two EPGs must be associated with two different Physical Domains, and each domain linked to a different VLAN Pool. If anyone can show me any official Cisco documentation that states this fact, I’d be really grateful as I am to dpita who posted this on his blog and a more readable version on the Cisco Support forum. The ACI help page does tell us that each EPG must be in a different Bridge Domain, but mentions nothing about requiring different VLAN Pools or physical domains. Good one Cisco!

So I will get on with it and create the VLAN Pools:

FABRIC > ACCESS POLICIES > Pools > VLAN >+ Create VLAN Pool

Name: AllVLANs-VLAN.Pool
Allocation Mode: Static
Encap Blocks: (+) VLAN 1–VLAN 4094

And another to fulfill the separate VLAN Pool requirement

FABRIC > ACCESS POLICIES > Pools > VLAN >+ Create VLAN Pool

Name: PerPortVLANs-VLAN.Pool
Allocation Mode: Static
Encap Blocks: (+) VLAN 1–VLAN 4094

Since Domains can only be linked to a single VLAN Pool, clearly two Physical Domains will be required too, and each Domain linked to its respective VLAN Pool,

FABRIC > ACCESS POLICIES > Physical and External Domains > Physical Domains >+ Create Physical Domain

Name: AllVLANs-PhysDom
VLAN Pool: (+) AllVLANs-VLAN.Pool

FABRIC > ACCESS POLICIES > Physical and External Domains > Physical Domains >+ Create Physical Domain

Name: PerPortVLANs-PhysDom
VLAN Pool: (+) PerPortVLANs-VLAN.Pool

To keep the separation complete, I also suggest creating two AEPs, although this not strictly necessary – I could have just used one AEP and added both Physical Domains

FABRIC > ACCESS POLICIES > Global Policies> Attachable Access Entity Profiles >+ Create Attachable Access Entity Profile

Name: AllVLANs-AEP
Domain: (+) AllVLANs-VLAN.PhysDom

FABRIC > ACCESS POLICIES > Global Policies> Attachable Access Entity Profiles >+ Create Attachable Access Entity Profile

Name: PerPortVLANs-AEP
Domain: (+) PerPortVLANs-PhysDom

To link these VLAN Pools to interfaces I had to create two Interface Policy Groups – in my case the devices were single attached, so I created two Access Port Policy Groups

FABRIC > ACCESS POLICIES > Interface Policies> Policy Groups >+ Create Access Port Policy Group

Name: AllVLANs-APPG
Attached Entity Profile: AllVLANs-AEP

FABRIC > ACCESS POLICIES > Interface Policies> Policy Groups >+ Create Access Port Policy Group

Name: PPVLAN.PerPortVLANs-APPG
L2 Interface Policy: PerPort-VLAN.Scope
Attached Entity Profile: PerPortVLANs-AEP

Of course, if I was a CLI jockey I would have avoided all of the GUI clicking by issuing the commands:

configure
  vlan-domain AllVLANs-VLAN.Dom
    vlan 1-4094
    exit
  vlan-domain PerPortVLANs-VLAN.Dom
    vlan 1-4094
    exit
  vlan-domain phys type phys
    exit

  template policy-group AllVLANs-APPG
    vlan-domain member AllVLANs-VLAN.Dom
    exit
  template policy-group PPVLAN.PerPortVLANs-APPG
    vlan-domain member PerPortVLANs-VLAN.Dom
    switchport vlan scope local
    exit

and the VLAN Pools, Physical (and L2 and L3) Domains and AEPs would have all been created for me, albeit with each VLAN Pool and Domain being given a name that ends with VLAN.Dom, and an AEP with a name beginning with __ui_ and which can never be deleted from the GUI should I need to do so later. Oh and two identical L2 Interface polices also beginning with the accursed __ui_

But I digress.

Of course these Access Port Policy Groups had to be assigned to the relevant ports, in my case there were interfaces Ethernet 1/21 and 1/22 on Leaf 101. I had already created a Leaf Switch Profile named Leaf101-LeafProf and linked it to its matching Interface Profile called (of course) Leaf101-IntProf.

All I had to do now was add two more Interface Selectors to the Leaf101-IntProf
Interface Profile.

FABRIC > ACCESS POLICIES > Interface Policies> Interface Profiles > Leaf101-IntProf >+ Create Access Port Selector

Name: 1:21
Interface IDs: 1/21
Interface Policy Group: AllVLANs-APPG

FABRIC > ACCESS POLICIES > Interface Policies> Interface Profiles > Leaf101-IntProf >+ Create Access Port Selector

Name: 1:22
Interface IDs: 1/22
Interface Policy Group: PPVLAN.PerPortVLANs-APPG

And of course the alternative version for the click-challenged:

  #This section is already configured 
  leaf-profile Leaf101-LeafProf
    leaf-group Leaf101
      leaf 101
      exit
    leaf-interface-profile Leaf101-IntProf
    exit
  #End of already configured section
  
  leaf-interface-profile Leaf101-IntProf
    leaf-interface-group 1:21
      interface ethernet 1/21
      policy-group AllVLANs-APPG
      exit
    leaf-interface-group 1:22
      interface ethernet 1/22
      policy-group PPVLAN.PerPortVLANs-APPG
      exit
    exit

With the Access Policies now completed, I could now configure the two EPGs with the same VLAN ID (I was using VLAN 1000) back in the Tenant area. The EPGs had been created earlier with the creative names of EPG1 and EPG2. In this case each EPG had its own Bridge Domain and both BDs were linked to the same VRF. First EPG1 configuration:

TENANT > Tenant TenantName > Application Profiles > Tenant-AP > Application EPGs > EPG1 > Domains (VMs and Bare-Metals) >+ Add Physical Domain Association

Physical Domain Profile: AllVLANs-PhysDom

TENANT > Tenant TenantName > Application Profiles > Tenant-AP > Application EPGs > EPG1 > Static Ports >+ Deploy Static EPG on PC, VPC, or interface

Path Type: Port
Path: Pod-1/Node-101/eth1/21
Port Encap (…): VLAN 1000

And then EPG2

TENANT > Tenant TenantName > Application Profiles > Tenant-AP > Application EPGs > EPG1 > Domains (VMs and Bare-Metals) >+ Add Physical Domain Association

Physical Domain Profile: PerPortVLANs-PhysDom

TENANT > Tenant TenantName > Application Profiles > Tenant-AP > Application EPGs > EPG1 > Static Ports >+ Deploy Static EPG on PC, VPC, or interface

Path Type: Port
Path: Pod-1/Node-101/eth1/22
Port Encap (…): VLAN 1000

Or…

  leaf 101
    interface ethernet 1/21
      switchport trunk allowed vlan 1000 tenant TenantName application Tenant-AP epg EPG1
      exit
    interface ethernet 1/22
      switchport trunk allowed vlan 1000 tenant TenantName application Tenant-AP epg EPG2
      exit
    exit
  exit

At this point both EPG1 and EPG2 were happily sending and receiving frames tagged with VLAN 1000 and no traffic was leakingbetween the two EPGs. And to complete the picture, here’s the CLI version of the Tenant config:

  tenant TenantName
    vrf context VRF1
      exit
    bridge-domain BD1
      no unicast routing
      vrf member VRF1
      exit
    bridge-domain BD2
      no unicast routing
      vrf member VRF1
      exit
    application Tenant-AP
      epg EPG1
        bridge-domain member BD1
        exit
      epg EPG2
        bridge-domain member BD2
        exit
      exit
    interface bridge-domain BD1
      exit
    interface bridge-domain BD2
      exit
    exit

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

SIMMN · ‎10-31-2019

Thanks, I do know the feature per port vlan and your post is informational. But not really what I was asking about :)

Here is the link regarding the separate domain/vlan pool requirement for per port vlan...Cisco did not clearly state that but their example in the link shows two separate domains and pools.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L2_config/b_Cisco_APIC_Layer_2_Configuration_Guide/b_Cisco_APIC_Layer_2_Configuration_Guide_chapter_011.html#concept_BC396E1CBB7D4687A9CBBECDDD43DE11

Also, the per port VLAN feature works for your case but it did not work for one of my customers...I feel the feature is more for the multi-tenant VLAN overlapping scenario. When I was trying to use the feature initially, I discovered that ACI internally would map the VLAN1000 on the two ports into different numbers (you can see the result using show vlan ex on leaf), which means even the devices connect to port 1/21 and 1/22 are the on the same VLAN1000 from CE perspective, but they can not communicate like in traditional L2. Also depends on where is the default gateway placed for VLAN1000, the device on either 1/21 or 1/22 might not be able to talk to the default gateway...