Solved: Re: Routed p2p leaf-spine subinterface

Mario Rosi · ‎03-25-2020

I'm wondering how ACI manage ISIS in routed sub-interface when VLAN on the opposed sides of the single p2p are different?

I mean, the equivalent of "encapsulation dot1Q xxx" command that define the real VLAN tag on the routed subinterface, in ACI where is hidden?

Concerning the infra VLAN (3967), it is mapped on each leaf in a different "Platform Indipendent VLAN" and the command "show vlan extended" allow you to see the mapping between the configured one and the one taken from ACI; in p2p for ISIS how exactly does it work this mapping?

Thanks,

Mario

Mario Rosi · ‎03-26-2020

...btw,

i found the answer at my question... i found the right command to see which is the VLAN tag used for the routed sub-interfaces among leaves and spines.

Spine1001# show lld nei
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Leaf102 Eth1/1 120 BR Eth1/49
Leaf101 Eth1/2 120 BR Eth1/49

Spine1001# show isis interface brief vrf overlay-1
IS-IS process: isis_infra VRF: overlay-1
Interface Type Idx State Circuit MTU Metric Priority Adjs/AdjsUp
L1 L2 L1 L2 L1 L2
loopback0 LOOP 2 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
loopback1 LOOP 3 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
loopback2 LOOP 4 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
loopback3 LOOP 5 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
...
Ethernet1/1.48 P2P 12 Up//Ready 0x01/L1 9366 1 1 64 64 1/1 0/0
Ethernet1/2.46 P2P 13 Up//Ready 0x01/L1 9366 1 1 64 64 1/1 0/0

Leaf101# show isis interface brief vrf overlay-1
IS-IS process: isis_infra VRF: overlay-1
Interface Type Idx State Circuit MTU Metric Priority Adjs/AdjsUp
L1 L2 L1 L2 L1 L2
loopback0 LOOP 2 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
...
Ethernet1/49.88 P2P 4 Up//Ready 0x01/L1 9366 1 1 64 64 1/1 0/0

Leaf102# show isis interface brief vrf overlay-1
IS-IS process: isis_infra VRF: overlay-1
Interface Type Idx State Circuit MTU Metric Priority Adjs/AdjsUp
L1 L2 L1 L2 L1 L2
loopback0 LOOP 2 Up//Ready 0x01/L1 1500 1 1 64 64 0/0 0/0
...
Ethernet1/49.77 P2P 4 Up//Ready 0x01/L1 9366 1 1 64 64 1/1 0/0

Spine1001# show interface ethernet 1/1.48 brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/1.48 2 eth routed up none 40G(D) --

Spine1001# show interface ethernet 1/2.46 brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/2.46 2 eth routed up none 40G(D) --

Leaf101# show interface ethernet 1/49.88 bri
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/49.88 2 eth routed up none 40G(D) --

Leaf102# show int ethernet 1/49.77 brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/49.77 2 eth routed up none 40G(D) --

So definitely, VLAN ID = 2 is used (at least in my lab) for the ISIS L3 sub-interfaces.

Done! :)

Mario

View solution in original post

RedNectar · ‎03-25-2020

Hi Mario,

I can see there are a lot of fundamental ACI concepts you need to grasp, so I'll try to keep it simple.

First of all:

ISIS in ACI

Perhaps one of the best places to start to understand ISIS in ACI is to read up a little about ISIS, COOP, BGP and MP-BGP in CIsco ACI. You will probably find an answer I gave on this forum or a better version of it in a blog post.

The key conscept you need to understand it that ISIS exists ONLY as a routing protcol to provide the leaves and spines connectivy (routing) information about how to reach other leaves and spines. Critically, it has absolutely NOTHING to do with transporting traffic from one leaf to another. And therefore, absolutely nothing to do with routed sub-interfaces on the end-point side.

ISIS exists only within the ACI UNDERLAY network (which is called VRF overlay-1 in ACI).

Internal VLANs in ACI

The fact that your infrastructure VLAN (often VLAN 3967, but not necessarily) is potentially mapped to a different VLAN on every switch is just how ACI overcomes the limitations of there being only 4095 possible VLANs.

Because each switch can only support 4095 VLANs, and in a tenanted network there may exist millions of VLANs and multiple instances of the same VLAN ID, Cisco ACI switches simply map every external VLAN (including the infrastructure VLAN) to one of the 4095 locally available VLAN IDs.

As you have discovered, the command show vlan extended lists you the mappings between the user-defined VLANs and the internal VLANs for each switch.

p2p - hello VXLAN

There is no p2p for ISIS.

All traffic from user-attached ports that need to have a p2p like connection to another leaf is carried in VXLAN encapsulation. The way this is done is by allocating a VXLAN Network ID (VNID) to every L2 broadcast domain (Bridge Domain or BD) and every VRF within ACI. If the user-to-user traffic needs to be L2 bridged, it will be transported across the underlay in VXLAN encapsulation using the VNID of the BD. If it is to be routed, it will be VXLAN encapsulated using the VNID of the VRF.

encapsulation dot1Q

I hope that my explanation of VXLAN shows you that looking for the equivalent of "encapsulation dot1Q xxx" is not really relevant. You will never be able to configure the internal VLAN mappings or the internal VXLAN mappings.

For teh record though, you can actually see the bexternal VLAN configuration with a command like show running‑config leaf 101 interface ethernet 1/x where you will see something like:

# Command: show running-config leaf 101 interface ethernet 1/7
# Time: Thu Mar 26 06:15:01 2020
  leaf 101
    interface ethernet 1/7
      # policy-group Common:SharedServices_APPG
      switchport trunk allowed vlan 1001 tenant common application SharedServices_AP epg SharedServices_EPG      exit
    exit

And one final point about the diagram

Thanks so much for adding a diagram to you post. It makes a huge difference to the effort I will put into answering a post if the person posting has clealy made an effort.

You should also know that as far as the APIC connection to the ACI leaves is concerned, the connection is via a bond interface on the APIC (bond0.3967 if the infrastructure VLAN is 3967) with one physical interface active and the other in standby. The command cat /proc/net/bonding/bond0 on the APIC will show you the configuration.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Mario Rosi · ‎03-25-2020

Hi,

probably the reason of your answer (thanks for your time and effort however) is because of my english; not being my native language sometimes I could be misunderstood about what i'm looking for,... however, i come back on the main reason of my question.

All you have said was already clear for me, my specific question was (i use some show commands so get directly to the point) :

Leaf101 and Spine1001 are ISIS neighbors as you can see using the interfaces below:

Leaf101# show isis adjacency vrf overlay-1
IS-IS process: isis_infra VRF:overlay-1
IS-IS adjacency database:
System ID SNPA Level State Hold Time Interface
4170.000A.0000 N/A 1 UP 00:00:59 Ethernet1/49.88

Spine1001# show isis adjacency vrf overlay-1
IS-IS process: isis_infra VRF:overlay-1
IS-IS adjacency database:
System ID SNPA Level State Hold Time Interface
4070.000A.0000 N/A 1 UP 00:00:54 Ethernet1/2.46

My thought is: ISIS as the whole control plane for the underlay in ACI is working using routed sub-interfaces (yes, sure in vrf overlay-1); but, if in one side, let's say the Spine1001 it is using the .../2.46 and in the Leaf101 it is using the .../49.88, which is the real subinterface tag used internally by ACI to encapsulate ISIS LSAs and realise the ISIS peering (i didn't find the right command to find it)? It was just a curiosity that i have since a few time ago, because for the rest, even though i'm thankful to you for your contribution, it is crystalline :)

I mean, in the classical world, if i've two routers, and i use routed subinterfaces to realise a peering between them, let's say X/Y.10 on one side, and on the other one W/K.20, as it should be, i'd expect to have the same TAG for the encapsulation (despite the number chosen for the subinterfaces)

...or if you prefer i show just with an example on two common routers:

ROUTER1:

interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.252
end

ROUTER2:

interface GigabitEthernet0/0.20
encapsulation dot1Q 10
ip address 10.0.0.2 255.255.255.252
end

...and obviously, traffic between them connected back to back via GE0/0 is going on because of the same VLAN tag ID = 10 on both the sides (doesn't matter the choice of subinterface tag); that's the CORE of my question: "where i find the equivalent of TAG 10 of this example on ACI scenario, which command?).

Just that specific question!

Thanks,
Mario

Mario Rosi · ‎03-26-2020