SOLVED
Hi @Hugo29 !
You didn't mention the model of your switch. It is important, because different models have different restrictions, for example 5930, 5940, 5950 have this one, which I believe is relevant to your case:
When you configure Ethernet service instances, follow these access mode restrictions:
• You must use Ethernet access mode if one of the following criteria is configured:
encapsulation tagged
encapsulation untagged
encapsulation default
• You can use Ethernet access mode or VLAN access mode if any other criterion is configured.
Since the default VSI access mode is VLAN, the command "xconnect vsi vsi456" uses this mode. Instead, the command should look like "xconnect vsi vsi456 access-mode ethernet". But as I mentioned earlier, it may not be applicable to your platform, therefore it always helps when you mention model of the device and s/w version running.
Here is what documentation says about VSI access modes:
==========================================================
The access mode determines how a VTEP processes the 802.1Q VLAN tags in the inner Ethernet frames assigned to the VSI.
• VLAN access mode—Ethernet frames received from or sent to the local site must contain 802.1Q VLAN tags.
- For an Ethernet frame received from the local site, the VTEP removes all its 802.1Q VLAN tags before forwarding the frame.
- For an Ethernet frame destined for the local site, the VTEP adds 802.1Q VLAN tags to the frame before forwarding the frame.
In VLAN access mode, VXLAN packets sent between VXLAN sites do not contain 802.1Q VLAN tags. VXLAN can provide Layer 2 connectivity for different 802.1Q VLANs between sites. You can use different 802.1Q VLANs to provide the same service in different sites.
• Ethernet access mode—The VTEP does not process the 802.1Q VLAN tags of Ethernet frames received from or sent to the local site.
- For an Ethernet frame received from the local site, the VTEP forwards the frame with the 802.1Q VLAN tags intact.
- For an Ethernet frame destined for the local site, the VTEP forwards the frame without adding 802.1Q VLAN tags.
In Ethernet access mode, VXLAN packets sent between VXLAN sites contain 802.1Q VLAN tags. VXLAN cannot provide Layer 2 connectivity for different 802.1Q VLANs between sites. You must use the same 802.1Q VLAN to provide the same service between sites.
==========================================================
I agree with you that for the untagged traffic there is no much difference, but that is mentioned as a restriction and the word 'must' is there too. Nevertheless, I made a quick test in my lab and seems like VSI gets all those MACs traffic from which it receives on the port with service-instance configured. Even without "access-mode ethernet":
[5940-Ten-GigabitEthernet1/1/2]dis l2vpn mac vsi 456
MAC Address State VSI Name Link ID/Name Aging
0016-c8aa-bb59 Dynamic 456 XGE1/1/2 Aging
bcea-fa6f-70d0 Dynamic 456 XGE1/1/2 Aging
--- 2 mac address(es) found ---
[5940-Ten-GigabitEthernet1/1/2]dis mac-add vl 2
MAC Address VLAN ID State Port/Nickname Aging
<5940>dis l2vpn service-instance interface ten1/1/2 service-instance 456 verbose
Interface: XGE1/1/2
Service Instance: 456
Type : Manual
Encapsulation : untagged
Bandwidth : Unlimited
VSI Name : 456
Link ID : 0
State : Up
Statistics : Disabled
<5940>
[5940-Ten-GigabitEthernet1/1/2]dis th
#
interface Ten-GigabitEthernet1/1/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2
port trunk pvid vlan 2
#
service-instance 456
encapsulation untagged
xconnect vsi 456
Could you send me output of following commands:
display device slot 1 subslot 2
display device manuinfo slot 1 subslot 2 (!!! remove the serial number from the output !!!)
display interface ten1/2/3
display l2vpn vsi name vsi456 verbose
display mac-address interface ten1/2/3
Also, you've mentioned ports with VC connected that receive untagged frames, are those ports located on the same 5940 as this Ten1/2/3 in question? Could you send their configuration as well, maybe there is a difference...
Hi @Hugo29 !
Yeah, information in the case doesn't match initial description, but I understand, it's security measure.
I don't see any MACs in VLAN2 learned on Ten2/2/4 (I'm looking at the diag, the port is up) and the all the MACs coming from the Cisco SG300 are learned on Ten1/2/10. However, there are no learned MACs inside the VSI102 (display l2vpn mac-address), but the port 2/2/4 is up and vsi102 is up too, so again it's a little bit different from what you see now when executing "display" commands... However, if we take the situation in the diag as a baseline and ignore the fact you see mac addresses learned in vlan 2 on the Ten2/2/4, then I think I know what is the issue and I was able to reproduce it, thanks to the diag in the case - it gave me one important bit of information - "hardware-resource vxlan l3gw8k".
Here is how I reproduced it and what is the solution:
[HPE-Ten-GigabitEthernet1/1/2]dis th
#
interface Ten-GigabitEthernet1/1/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 3999
port trunk pvid vlan 2
shutdown
#
service-instance 1
encapsulation untagged
xconnect vsi vsi102
#
return
[HPE-Ten-GigabitEthernet1/1/2]dis curr conf vsi
#
vsi vsi102
gateway vsi-interface 102
#
return
[HPE-Ten-GigabitEthernet1/1/2]dis curr int vsi102
#
interface Vsi-interface102
#
return
[HPE-Ten-GigabitEthernet1/1/2]dis l2vpn vsi
Total number of VSIs: 1, 0 up, 1 down, 0 admin down
VSI Name VSI Index MTU State
vsi102 0 1500 Down
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]undo shut
[HPE-Ten-GigabitEthernet1/1/2]%Jul 4 05:24:52:141 1976 HPE IFNET/3/PHY_UPDOWN: Physical state on the interface Ten-GigabitEthernet1/1/2 changed to up.
%Jul 4 05:24:52:142 1976 HPE IFNET/5/LINK_UPDOWN: Line protocol state on the interface Ten-GigabitEthernet1/1/2 changed to up.
%Jul 4 05:24:54:203 1976 HPE STP/6/STP_DETECTED_TC: Instance 0's port Ten-GigabitEthernet1/1/2 detected a topology change.
%Jul 4 05:24:54:208 1976 HPE STP/6/STP_NOTIFIED_TC: Instance 0's port Ten-GigabitEthernet1/1/2 was notified a topology change.
[HPE-Ten-GigabitEthernet1/1/2]%Jul 4 05:24:57:191 1976 HPE STP/6/STP_NOTIFIED_TC: Instance 0's port Ten-GigabitEthernet1/1/2 was notified a topology change.
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]dis l2vpn vsi
Total number of VSIs: 1, 1 up, 0 down, 0 admin down
VSI Name VSI Index MTU State
vsi102 0 1500 Up
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]dis mac-address
MAC Address VLAN ID State Port/Nickname Aging
[HPE-Ten-GigabitEthernet1/1/2]dis l2vpn mac
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]
[HPE-Ten-GigabitEthernet1/1/2]exit
[HPE]vsi vsi102
[HPE-vsi-vsi102]dis th
#
vsi vsi102
gateway vsi-interface 102
#
return
[HPE-vsi-vsi102]
[HPE-vsi-vsi102] #### HERE COMES THE SOLUTION ####
[HPE-vsi-vsi102]
[HPE-vsi-vsi102]vxlan 102
[HPE-vsi-vsi102-vxlan-102]%Jul 4 05:25:40:130 1976 HPE IFNET/3/PHY_UPDOWN: Physical state on the interface Vsi-interface102 changed to up.
%Jul 4 05:25:40:131 1976 HPE IFNET/5/LINK_UPDOWN: Line protocol state on the interface Vsi-interface102 changed to up.
[HPE-vsi-vsi102-vxlan-102]
[HPE-vsi-vsi102-vxlan-102]exit
[HPE-vsi-vsi102]exit
[HPE]
[HPE]dis l2vpn mac
MAC Address State VSI Name Link ID/Name Aging
bcea-fa6f-7099 Dynamic vsi102 XGE1/1/2 Aging
bcea-fa6f-70d0 Dynamic vsi102 XGE1/1/2 Aging
--- 2 mac address(es) found ---
[HPE]
[HPE]dis mac-add
MAC Address VLAN ID State Port/Nickname Aging
[HPE]
Please, assign the vxlan to the vsi102 and if my lab test was correct you should see your MAC addresses learned inside the VSI.