Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: remove statement about configuring traditional mode bridges with NCLU

...

Code Block
languagetext
auto vni-1000
iface vni-1000
    bridge-access 100
    bridge-learning off
    vxlan-id 1000
    vxlan-local-tunnelip 10.0.0.1
    
auto vni-3000
iface vni-3000
    bridge-access 200
    bridge-learning off
    vxlan-id 3000
    vxlan-local-tunnelip 10.0.0.1
 
auto swp3
iface swp3
    bridge-access 100
 
auto swp4
iface swp4
    bridge-access 200
  
auto bridge
iface bridge
    bridge-ports swp3 swp4 vni-1000 vni-3000
    bridge-vids 100 200
    bridge-vlan-aware yes
    bridge-vlan-protocol 802.1ad
 

View the Configuration

In the output below, customer A is on VLAN 100 (S-TAG) and customer B is on VLAN 200 (S-TAG).

...

Note

Double tag translation only works with bridges in traditional mode (not VLAN-aware mode). As such, you cannot use NCLU to configure it.

An example configuration could look like the following:

...

Code Block
languagetext
auto swp3.100
iface swp3.100
    vlan_protocol 802.1ad
  
auto swp3.100.10
iface swp3.100.10
    mstpctl-portbpdufilter yes
    mstpctl-bpduguard yes
 
auto vni1000
iface vni1000
    vxlan-local-tunnelip  10.0.0.1
    mstpctl-portbpdufilter yes
    mstpctl-bpduguard yes
    vxlan-id 1000
 
auto custA-10-azr
iface custA-10-azr
    bridge-ports swp3.100.10 vni1000
    bridge-vlan-aware no
    bridge-learning vni1000=off
 

You can check the configuration with the brctl show command:

Code Block
languagetext
cumulus@switch:~$ sudo brctl show
bridge name     bridge id               STP enabled     interfaces
custA-10-azr    8000.00020000004b       yes             swp3.100.10                                              
                                                        vni1000
custB-20-azr    8000.00020000004b       yes             swp3.200.20                                                        
                                                        vni3000
Info

You can try this out without If the bridge being is not VXLAN-enabled. The configuration would look something , the configuration looks like this:

Code Block
languagetext
auto swp5.100
iface swp5.100
    vlan-protocol 802.1ad

auto swp5.100.10
iface swp5.100.10
	    mstpctl-portbpdufilter yes
	    mstpctl-bpduguard yes
 
auto br10
iface br10
	    bridge-ports swp3.10  swp4  swp5.100.10
	    bridge-vlan-aware no

Caveats and Errata

Feature Limitations

  • iptables match on double-tagged interfaces is not supported.
  • Single-tagged translation supports only VLAN-aware bridge mode with the bridge’s VLAN 802.1ad protocol.
  • MLAG is only supported with single-tagged translation.
  • No layer 2 protocol (STP BPDU, LLDP) tunneling support.
  • Mixing 802.1Q and 802.1ad subinterfaces on the same switch port is not supported.
  • When configuring bridges in traditional mode, all VLANs that are members of the same switch port must use the same vlan_protocol.
  • When using switches with Mellanox Spectrum ASICs in an MLAG pair:
    • The peerlink (peerlink.4094) between the MLAG pair should be configured for VLAN protocol 802.1ad.
    • The peerlink cannot be used as a backup datapath in the event that one of the MLAG peers loses all uplinks.
  • For switches with the Spectrum ASIC (but not the Spectrum 2), when the bridge VLAN protocol is 802.1ad and is VXLAN-enabled, either: 
    • All bridge ports are access ports, except for the MLAG peerlink.
    • All bridge ports are VLAN trunks.

    This means the switch terminating the cloud provider connections (double-tagged) cannot have local clients; these clients must be on a separate switch.

...