Configuring Selective Q-In-Vni - Cisco Nexus 9000 Series Configuration Manual

Configuring Selective Q-in-VNI

Configuring Selective Q-in-VNI
Selective Q-in-VNI is a VXLAN tunneling feature that allows a user specific range of customer VLANs on
a port to be associated with one specific provider VLAN. Packets that come in with a VLAN tag that matches
any of the configured customer VLANs on the port are tunneled across the VXLAN fabric using the properties
of the service provider VNI. The VXLAN encapsulated packet carries the customer VLAN tag as part of the
L2 header of the inner packet.
The packets that come in with a VLAN tag that is not present in the range of the configured customer VLANs
on a selective Q-in-VNI configured port are dropped. This includes the packets that come in with a VLAN
tag that matches the native VLAN on the port. Packets coming untagged or with a native VLAN tag are L3
routed using the native VLAN's SVI that is configured on the selective Q-in-VNI port (no VXLAN).
Beginning with Cisco NX-OS Release 7.0(3)I5(2), selective Q-in-VNI is supported on both vPC and non-vPC
ports on Cisco Nexus 9300-EX Series switches. This feature is not supported on Cisco Nexus 9300 Series
and 9200 Series switches.
This feature is also supported with flood and learn in IR mode.
See the following guidelines for selective Q-in-VNI:
• Beginning with Cisco NX-OS Release 7.0(3)I5(2), configuring selective Q-in-VNI on one VXLAN and
• Selective Q-in-VNI is an ingress VLAN tag-policing feature. Only ingress VLAN tag policing is
• Configure the system dot1q-tunnel transit CLI on the vPC switches with selective Q-in-VNI
• The native VLAN configured on the selective Q-in-VNI port cannot be a part of the customer VLAN
• By default, the native VLAN on any port is VLAN 1. If VLAN 1 is configured as part of the customer
• To remove some VLANs or a range of VLANs from the configured switchport VLAN mapping range
Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide, Release 7.x
30
configuring plain Q-in-VNI on the VXLAN peer is supported. Configuring one port with selective
Q-in-VNI and the other port with plain Q-in-VNI on the same switch is supported.
performed with respect to the selective Q-in-VNI configured range.
For example, selective Q-in-VNI customer VLAN range of 100-200 is configured on VTEP1 and
customer VLAN range of 200-300 is configured on VTEP2. When traffic with VLAN tag of 175 is sent
from VTEP1 to VTEP2, the traffic is accepted on VTEP1, since the VLAN is in the configured range
and it is forwarded to the VTEP2. On VTEP2, even though VLAN tag 175 is not part of the configured
range, the packet egresses out of the selective Q-in-VNI port. If a packet is sent with VLAN tag 300
from VTEP1, it is dropped because 300 is not in VTEP1's selective Q-in-VNI configured range.
configurations. This CLI configuration is required to retain the inner Q-tag as the packet goes over the
vPC peer link when one of the vPC peers has an orphan port. With this CLI configuration, the vlan
dot1Q tag native functionality does not work.
range. If the native VLAN is part of the customer VLAN range, the configuration is rejected.
The provider VLAN can overlap with the customer VLAN range. For example, switchport vlan mapping
100-1000 dot1q-tunnel 200
VLAN range using the switchport vlan mapping <range>dot1q-tunnel <sp-vlan> CLI command, the
traffic with customer VLAN 1 is not carried over as VLAN 1 is the native VLAN on the port. If customer
wants VLAN 1 traffic to be carried over the VXLAN cloud, they should configure a dummy native
VLAN on the port whose value is outside the customer VLAN range.
on the selective Q-in-VNI port, use the no form of the switchport vlan mapping <range>dot1q-tunnel
<sp-vlan> CLI command.
Configuring VXLAN