Showing results for 
Search instead for 
Did you mean: 

Tunnel Interfaces - ACI

I have 4 Spine switches and 16 leaf switches in my ACI environment

Under the Fabric, below each node, (Spine or Leaf) I could see a number of tunnel Interfaces configured.

When I check the EPG Information of a specific server under the Fabric Inventory or via the Application Profile, I could see in the Interface column that the End Point is learnt via a VPC Interface or a Tunnel Interface.

When I checked in all the leaf and spine switches, I do not find the tunnel destination IP address to be configured anywhere. Please clarify on the tunnel interfaces, how they are configured and how to we check the communication between nodes via tunnels, why a MAC or End Point is getting learnt via the Tunnel

Secondly, I could see that in a VRF the same IP address is configured across leafs as a Default Gateway of various Bridged Domains. Why does it not create IP conflict of how does ACI handle this IP Conflict.

Cisco Employee

Hello LakshmiPrabu,

A few responses given my assumptions on what you are asking.

1. Assuming you are referring to the TEP (Tunnel Endpoint) addresses assigned to the leaves, those are assigned via DHCP from the APICS as the switch nodes are provisioned into the fabric via Fabric membership.

2. Depending on if you are using some integration with opflex, it may be possible to learn endpoints via tunnels as well as locally via some VPC or interface. It may also show as a tunnel learned endpoint if it is learned locally on another leaf node.

3. ACI spawns the SVI gateways (Pervasive Gateway) on all leaves that need it. Need for a gateway to be programmed on a leaf typically implies that some Endpoint has been learned within that EPG or some static binding exists on that leaf/path on that leaf.

Please reference the following articles for more information on "how":

Layer 3 for Inter-subnet Tenant Traffic

Routing Within the Tenant



Think of tunnel interfaces as a "next-hop" for reaching a specific destination. You can observe that tunnel interfaces are being used when issue the command "show endpoint ip <IP> or mac <MAC>", once obtained the tunnel interface, you can then find out the IP address via

"show interface tunnelx", and then issue "acidiag fnvread | grep <tunnel IP>" to find out which switch the tunnel IP is on. If it's a vPC IP address, you can do a moquery on APIC to find out which vPC pair the IP is picked up from, hence identify the switch.

moquery -c fabricExplicitGEp -f 'fabric.ExplicitGEp.virtualIp==""'

As Gabriel mentioned, they are VTEP in VXLAN term. ACI encapsulate all traffic in VXLAN as soon as the packet/frame hits the switch