Configuring Transparent and Remove Tags Modes for Bridge Domain
Starting from Netvisor ONE release 6.1.0, a new VXLAN transport mode, transparent has been added to the bridge domain configuration. This new mode can be used when end-to-end VLAN tag and CoS field (priority bits) transparency (i.e., preservation) is required.
Starting from the same release, there is an additional remove-tags mode, which can be used when 802.1Q tag preservation is not required. The typical use case is when an untagged host needs to talk to a VLAN-tagged one or with one configured with two tags.
Note: In this mode outer-vlan is not supported as standalone parameter and produces an error if used in the configuration of bridge domain ports. The user can instead specify both the outer-vlan and inner-vlan parameters in the port configuration.
Furthermore, starting from Netvisor ONE release 6.1.1 the remove-tags mode has been extended to support all port types with the same bridge domain (with the above exception of outer-vlan mode): untagged, tagged or double-tagged.
In this mode, when a packet is received on a port, the hardware removes all the VLAN tags flagging it as "untagged" and keeping it untagged also during VXLAN encapsulation. Then, after being decapsulated and when going out of the egress port, zero, one or two tags will be added to the packet depending on the egress port type. In this mode, CoS field (priority bits) configuration has been added too, as discussed below.
Note: Supporting multiple BD modes provides flexibility for numerous use cases, however BD modes must be configured consistently across bridge domain end points. In other words, a BD end point configured with local scope in remove-tags mode will not talk to another end point on a different switch configured with local scope in, say, auto mode.
First off, use the vxlan-inner-packet parameter to select a mode or modify it:
CLI (network-admin@switch) > bridge-domain-create name <name> scope <scope> vxlan <vxlan-id> vxlan-inner-packet auto|remove-tags|transparent
CLI (network-admin@switch) > bridge-domain-modify name <bridge-domain-name> vxlan-inner-packet auto|remove-tags
Auto is the implicit default transport mode, which represents the pre-6.1.0 mode of operation. In the VXLAN transport it removes the outer VLAN tag for 802.1ad-tagged packets and retains the VLAN tag for 802.1Q-tagged packets.
Instead, the new transparent and remove-tags modes must be configured explicitly by the user to be applied to the VXLAN transport.
When a bridge domain is created in transparent mode there are some important configuration limitations/requirements to keep in mind:
- Transparent mode is supported only with ports configured with the vlans or outer-vlan parameter, but not with both for the same bridge domain.
- The bridge-domain-modify command is not supported. Instead, you must delete the BD followed by adding the BD again by using the commands, bridge-domain-delete, followed by bridge-domain-add.
- The bridge-domain-port-modify command is not supported. Instead, use bridge-domain-port-remove followed by bridge-domain-port-add commands.
- Untagged ports are not supported.
- For 802.1ad-tagged (QinQ) ports, use outer-vlan <vlan-id> parameter only. The inner-vlan parameter is not supported while using the bridge-domain-port-add command.
- On all the ports of a transparent bridge domain the user needs to configure a common global VLAN, which needs to be set aside specifically for that use in the fabric.
- The user does not need to configure a special rsvd-vlan on clusters. Netvisor ONE takes care of that automatically.
- Local scope is not supported.
- The user needs to add both vlan and q-in-q TPIDs on cluster links.
- Netvisor ONE supports both the parameters: mac-learning|no-mac-learning to enable or disable MAC learning on a bridge domain. However, we recommend enabling MAC learning. If you disable MAC learning by using the parameter, no-mac-learning, then it may lead to unnecessary flooding including to cluster and CPU port.
- The port congestion displayed in the port-stats-show port 0 (CPU port) reflects packets dropped by the hardware rate-limiter that exceeds the configured Q threshold to protect the CPU. This includes flooded (BUM) traffic.
Here is an example of transparent bridge domain creation:
CLI (network-admin@switch) bridge-domain-create name transparent-bd scope fabric vxlan-inner-packet transparent vxlan 10000
CLI (network-admin@switch) > bridge-domain-show
Switch name scope vxlan auto-vxlan vxlan-inner-packet mac-learning
------- -------------- ------ ----- ---------- ------------------ ------------
switch transparent-bd fabric 10000 no transparent on
Once the bridge domain is created, you can assign a port configured with a regular 802.1Q VLAN (say, 100) to the transparent bridge domain like so:
CLI (network-admin@switch) > bridge-domain-port-add name transparent-bd port 10 vlans 100
Alternatively, if a port needs to receive 802.1ad double-tagged traffic (with outer VLAN 100), you can add it to the transparent bridge domain like so:
CLI (network-admin@switch) > bridge-domain-port-add name transparent-bd port 11 outer-vlan 100
In the above examples the common global VLAN that gets dedicated to the transparent bridge domain is VLAN 100. The user has to make sure that the same VLAN is used consistently on each transparent bridge domain port. Also, as noted in the limitation list above, ports configured with the vlans parameter and ports configured with the outer-vlan parameter are not allowed to be used in the same transparent bridge domain.
An important requirement with transparent bridge domains is that cluster links (for example, switch ports 8 and 9 on a cluster pair) be manually configured to carry both 802.1Q and 802.1ad TPIDs (namely, 0x8100 and 0x88a8) like so:
CLI (network-admin@switch) > port-config-modify ports 8,9 allowed-tpid vlan,q-in-q
To view the statistics (byte, packet, unicast, multicast, broadcast, input, output, drops) use the following commands:
- To view per tunnel statistics, use the tunnel-stats-show command.
- To view the per VNI (tied to VLAN or bridge-domain) statistics, use the vxlan-stats-show command.
- To view the per port statistics , use the port-stats-show command.
- To view the per port per CoS statistics, use the port-cos-stats-show command.
Use the show-diff-interval <interval-in-secs> formatting option with the above commands to monitor the real-time statistics every <interval-in-secs> seconds. For example,
CLI (network-admin@switch) > tunnel-stats-show show-diff-interval 2
Use the format all option to view detailed statistics.
Starting from Netvisor version 6.1.1, the remove-tags mode supports all port types at the same time on the same physical interface. You can use different bridge domains or even the same bridge domain configured in all modes on the same port.
Note: As with transparent mode, the bridge-domain-port-modify command is not supported. Instead, use bridge-domain-port-remove followed by the bridge-domain-port-add command to change port mode.
To configure remove-tags mode use the command:
CLI (network-admin@switch) > bridge-domain-create name <new-name> scope <scope> vxlan <vxlan-id> vxlan-inner-packet remove-tags
Or, for an existing bridge domain, use the command:
CLI (network-admin@switch) > bridge-domain-modify name <bridge-domain-name> vxlan-inner-packet remove-tags
For example, you can configure multiple port modes on bridge domain BD2 in remove-tags mode like so:
CLI (network-admin@switch) > bridge-domain-show
name scope ports vxlan-inner-packet mac-learning l2-tunneling
---- ------ ----- ------------------ ------------ ------------
BD1 local auto on none
BD2 local 20 remove-tags on none
CLI (network-admin@switch) > bridge-domain-port-add name BD2 port 20 untagged-port-vlan 200
CLI (network-admin@switch) > bridge-domain-port-add name BD2 port 20 vlans 300
The result of the port configuration can be displayed with the command:
CLI (network-admin@switch) > bridge-domain-port-show
name port vlans untagged-port-vlan l2-learning
---- ---- ----- ------------------ -----------
BD2 20 200 none
BD2 20 300 none
You can also configure different BDs on the same port in different modes, for example like so:
CLI (network-admin@switch) > bridge-domain-show
Switch name scope vxlan-inner-packet mac-learning l2-tunneling
------ ---- ----- ------------------ ------------ ------------
switch bd1 local remove-tags on none
switch bd2 local remove-tags on none
switch bd3 local remove-tags on none
CLI (network-admin@switch) > bridge-domain-port-show
switch name port outer-vlan vlans untagged-port-vlan inner-vlan l2-learning
------ ---- ---- ---------- ----- ------------------ ---------- -----------
switch bd1 30 500 none
switch bd2 30 300 none
switch bd3 30 2000 1000 none
It is also possible to configure multiple VLANs on the same port for the same bridge domain:
CLI (network-admin@switch) > bridge-domain-port-show
name port outer-vlan vlans untagged-port-vlan inner-vlan l2-learning
---- ---- ---------- ----- ------------------ ---------- -----------
BD1 25 103 none
BD1 25 104 none
And it is possible to configure multiple combinations of inner and outer VLANs on the same port for the same bridge domain, as shown below:
CLI (network-admin@switch) > bridge-domain-port-show
switch name port outer-vlan vlans untagged-port-vlan inner-vlan l2-learning
------ ---- ---- ---------- ----- ------------------ ---------- -----------
switch BD1 9 2000 1000 none
switch BD1 9 2001 1001 none
switch BD1 9 2002 1002 none
Furthermore, it is possible to configure the egress CoS field value (priority bits) to include in the packet tag by using one of the following commands depending on the egress port type:
- Double-tagged traffic port:
CLI (network-admin@switch) > bridge-domain-port-add name bd1 port 10 outer-vlan 10 outer-cos 7 inner-vlan 100 inner-cos 5
- Single-tagged traffic port:
CLI (network-admin@switch) > bridge-domain-port-add name bd1 port 20 vlans 200 cos 3
Note: The bridge-domain-port-modify command cannot be used to change CoS values.