cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
161
Views
10
Helpful
2
Replies
Highlighted
Beginner

Cisco ACI - Interface configured as L2

Hello Cisco Community -

I just encountered this "Interface configured as L2" fault when configuring a new L3Out (routed sub-interfaces).

As soon as I unchecked "The Infrastructure VLAN has been enabled on the AEP" under the AEP configuration, the fault cleared and the routed sub-interface was created and functional (prior to unchecking this, besides the fault, the subinterface also was not created per the CLI "show interface status" output).

Can you shed more light on why this caused an issue when enabled? Is this as simple as the system believes I want to apply to VLAN's to a routed sub-interface, which is not compatible?

CC: @RedNectar - similar to issue in https://community.cisco.com/t5/application-centric/aci-l3-out-ospf/td-p/3058834/page/2

Thanks, --Peter

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Collaborator

Re: Cisco ACI - Interface configured as L2

Hi @peter2727 ,

Great idea creating a new thread - gets more people invoved.

I'll assume that you are familiar with the difference between routed interfaces and switched interfaces.  Many Cisco L3 switches have the ability to turn a switched interface into a routed interface by issuing the command no switchport in the configuration.

ACI switch interfaces have the same ability, but the no switchport command is no so obvious, hence the confusion.

Now, when you configure the Interface Profile in the L3Out, you get 3 choices as to the interface type:

  • Routed interface (= NXOS no switchport)
  • Routed sub-interface (also = NXOS no switchport)
  • SVI interface (= NXOS switchport with an accompanying interface VLAN xxx command somewhere)

Now when you create the L3Out, you link the L3Out to a L3 Domain, and that Domain is linked to a VLAN Pool and an AAEP.

  • If you create an SVI interface (let's say on interface eth1/1), you will allocate a VLAN (let's say VLAN xxx) to that interface, and assign an IP address to it. (Let's say x.x.x.x/24). This will add the (equivalent to the) following lines to your config:
    interface ethernet 1/1
    switchport mode trunk
    switchport trunk allowed vlan xxx
    interface vlan xxx ip address x.x.x.x/24
    ... but that's not all. If the associated AAEP has been configured to permit the Infrastucture VLAN (say VLAN zzzz) then the configuration will change slightly because the AAEP has been configured to carry the infrastucture VLAN on every associated interface, so EVERY interface linked to the AAEP will carry a little extra configuration. In our example, it will change the above to:
    interface ethernet 1/1
      switchport mode trunk
      switchport trunk allowed vlan xxx, zzzz
    interface vlan xxx
      ip address x.x.x.x/24
    which will work just fine.
  • If you create a routed interface (let's say on interface eth1/1), you won't need to allocate a VLAN, and the configuration will look like this:
    interface ethernet 1/1
      no switchport      !forces the port into access mode - i.e. all frames leave untagged
      ip address x.x.x.x/24
    and life will be fine...
    ... unless you have also configured the linked AAEP to carry the Infrastucture VLAN on every assocated port, because that action forces the port act as a trunk port, so you have a configuration conflict - you are trying to do something like the following and expecting it to all work together:
    interface ethernet 1/1
      switchport mode trunk
      switchport trunk allowed vlan zzzz
      no switchport
      ip address x.x.x.x/24
    ... and, well - that just doens't work. You can't have switchport and no switchport both configured at the same time. Like the old saying goes, you can't have your cake and eat it too!
  • Now, the final case of a routed sub-interface is really exactly the same as above, except this time is a little more obscure because you are actually using a VLAN to define the sub-interface, but again, if you tried to put it into NXOS style config, it would be something like the equivalent of:
    interface ethernet 1/1.xxx
      encapsulation dot1q xxx
    switchport mode trunk switchport trunk allowed vlan zzzz no switchport ip address x.x.x.x/24
    ...hopefully you'll see the above configuration snippet is absolutely crazy and could never work!

which is WHY ACI threw a fault.

I hope this helps


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem


 

RedNectar
aka Chris Welsh


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

2 REPLIES 2
Highlighted
Rising star

Re: Cisco ACI - Interface configured as L2

Hey,

When you check the "Enable Infrastructure VLAN" on the AEP, this will allow the infrastructure VLAN to be passed over the links that are associated with this AEP (configured as switchport trunk).

Example below, I enabled infra vlan on a specific AEP which is allowed on a interface not used in the fabric.

Leaf1# show int e 1/23 switchport 
Name: Ethernet1/23
  Switchport: Enabled
  Switchport Monitor: not-a-span-dest
  Operational Mode: trunk
  Access Mode Vlan: unknown (default)
  Trunking Native Mode VLAN: unknown (default)
  Trunking VLANs Allowed: 20      -> infra-vlan

The moment you want to configure the interface with a L3 subinterface, the APIC will try to configure the interface as a routed port, but before that it will perform a check if the interface is already configured or not. Since is already L2 configured, it will rise the fault.

Once you remove the conflicting configuration (infra vlan), the port can be changed to routed port and the subinterface config can be pushed to leaf:

Leaf1# show int e 1/23 stat
----------------------------------------------------------------------------------------------
 Port           Name                Status     Vlan       Duplex   Speed    Type              
----------------------------------------------------------------------------------------------
 Eth1/23        --                  connected  routed     full     10G      SFP-H10GB-ACU2M  
Leaf1# show int e 1/23 switchport 
Name: Ethernet1/23
  Switchport: Disabled

Leaf1# show int br | grep 23
Eth1/23          --      eth  routed  up     none                     10G(D)    -- 
Eth1/23.21       3682    eth  routed  up     none                     10G(D)    -- 

Regards,

Sergiu

Highlighted
Collaborator

Re: Cisco ACI - Interface configured as L2

Hi @peter2727 ,

Great idea creating a new thread - gets more people invoved.

I'll assume that you are familiar with the difference between routed interfaces and switched interfaces.  Many Cisco L3 switches have the ability to turn a switched interface into a routed interface by issuing the command no switchport in the configuration.

ACI switch interfaces have the same ability, but the no switchport command is no so obvious, hence the confusion.

Now, when you configure the Interface Profile in the L3Out, you get 3 choices as to the interface type:

  • Routed interface (= NXOS no switchport)
  • Routed sub-interface (also = NXOS no switchport)
  • SVI interface (= NXOS switchport with an accompanying interface VLAN xxx command somewhere)

Now when you create the L3Out, you link the L3Out to a L3 Domain, and that Domain is linked to a VLAN Pool and an AAEP.

  • If you create an SVI interface (let's say on interface eth1/1), you will allocate a VLAN (let's say VLAN xxx) to that interface, and assign an IP address to it. (Let's say x.x.x.x/24). This will add the (equivalent to the) following lines to your config:
    interface ethernet 1/1
    switchport mode trunk
    switchport trunk allowed vlan xxx
    interface vlan xxx ip address x.x.x.x/24
    ... but that's not all. If the associated AAEP has been configured to permit the Infrastucture VLAN (say VLAN zzzz) then the configuration will change slightly because the AAEP has been configured to carry the infrastucture VLAN on every associated interface, so EVERY interface linked to the AAEP will carry a little extra configuration. In our example, it will change the above to:
    interface ethernet 1/1
      switchport mode trunk
      switchport trunk allowed vlan xxx, zzzz
    interface vlan xxx
      ip address x.x.x.x/24
    which will work just fine.
  • If you create a routed interface (let's say on interface eth1/1), you won't need to allocate a VLAN, and the configuration will look like this:
    interface ethernet 1/1
      no switchport      !forces the port into access mode - i.e. all frames leave untagged
      ip address x.x.x.x/24
    and life will be fine...
    ... unless you have also configured the linked AAEP to carry the Infrastucture VLAN on every assocated port, because that action forces the port act as a trunk port, so you have a configuration conflict - you are trying to do something like the following and expecting it to all work together:
    interface ethernet 1/1
      switchport mode trunk
      switchport trunk allowed vlan zzzz
      no switchport
      ip address x.x.x.x/24
    ... and, well - that just doens't work. You can't have switchport and no switchport both configured at the same time. Like the old saying goes, you can't have your cake and eat it too!
  • Now, the final case of a routed sub-interface is really exactly the same as above, except this time is a little more obscure because you are actually using a VLAN to define the sub-interface, but again, if you tried to put it into NXOS style config, it would be something like the equivalent of:
    interface ethernet 1/1.xxx
      encapsulation dot1q xxx
    switchport mode trunk switchport trunk allowed vlan zzzz no switchport ip address x.x.x.x/24
    ...hopefully you'll see the above configuration snippet is absolutely crazy and could never work!

which is WHY ACI threw a fault.

I hope this helps


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem


 

RedNectar
aka Chris Welsh


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

View solution in original post

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey