Layer 2 Subinterfaces

A Layer 2 subinterface is a logical bridging endpoint associated with traffic on an interface distinguished by 802.1Q tags, where each interface, 802.1q tag tuple is treated as a first-class bridging interface.

Like other types of interfaces, an L2 subinterface is a normal bridging endpoint in the bridging domain.

Configurations

Creating a Layer 2 Subinterface

Complete the following steps to configure a Layer 2 (L2) subinterface on an Arista switch:

  1. Configure the parent interface to be a routed port. 
    switch(config)# interface et1
switch(config-if-Et1)# no switchport
  2. Create a subinterface on the parent interface (et1.1), assign 802.1q encapsulation (vlan 100), and assign the forwarding VLAN ID (vlan 200). 
    switch(config-if-Et1)# interface et1.1
switch(config-if-Et1.1)# encapsulation dot1q vlan 100
switch(config-if-Et1.1)# vlan id 200
! VLAN does not exist. Creating vlan 200
  3. An alternative to configuring a forwarding VLAN id is to use VLAN name (office). 
    switch(config)# vlan 200
switch(config-vlan-200)# name office
switch(config-vlan-200)# int et1.2
switch(config-if-Et1.2)# encapsulation dot1q vlan 101
switch(config-if-Et1.2)# vlan name office
  4. Now subinterfaces et1.1 and et1.2 have been created and added to vlanVLAN 200. 
    switch# show interface et1.1-2 status
Port     Name   Status       Vlan     Duplex Speed  Type                  Flags Encapsulation
Et1.1           connected    200      full   10G    dot1q-encapsulation   100

Et1.2           connected    200      full   10G    dot1q-encapsulation   101

MAC Address on Layer 2 Subinterface

MAC addresses can either be statically configured or dynamically assigned behind Layer 2 (L2) subinterfaces.

switch(config)# mac address-table static 0000.000a.000a vlan 200 interface et1.1
switch# show mac address-table interface et1.1-2
          Mac Address Table
--------------------------------------------------------

Vlan  Mac Address     Type     Ports   Moves  Last Move
----  -----------     ----     -----   -----  ---------
 200  0000.000a.000a  STATIC   Et1.1
 200  0000.000b.000b  DYNAMIC  Et1.2   1      0:00:06 ago
Total Mac Addresses for this criterion: 2

MAC address learning can be enabled or disabled on an L2 subinterface using the following commands:

In the following example, the show interface ethernet1.1 switchport command has this running-config:

switch(config-if-Et1.1)# show interface ethernet1.1 switchport
Name: Et1.1
Switchport: Enabled
Administrative Mode: tunnel
Operational Mode: tunnel
MAC Address Learning: disabled
Dot1q ethertype/TPID: 0x8100 (active)
Dot1q VLAN Tag: Allowed
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Trunking VLANs Enabled: ALL
Static Trunk Groups:
Dynamic Trunk Groups:
Source interface filtering: enabled
VLAN forwarding mode: allowedVlansOnly

To enable MAC address learning, use the no mac address learning disabledcommand:

switch(config-if-Et1.1)# no mac address learning disabled

QoS Feature

Supported QoS features are:

Shaping

After creating an L2 subinterface, you can configure a shape rate (in Kbps) on the sub-interface. For example, the shape rate is configured to 50000000 Kbps.

switch(config-if-Et1.1)# shape rate 50000000
The configuration of non-default shape rate results in the allocation of dedicated virtual output queues (VOQ) for the subinterface. Each subinterface allocates four (4) VOQs. Different TC traffic goes to the VOQ according to the following mapping:
TC6-7 : VOQ3
TC4-5 : VOQ2
TC2-3 : VOQ1
TC0-1 : VOQ0

VOQ3 is in strict-priority mode to the other VOQs.

VOQ2, VOQ1, and VOQ0 are in WRR with a static credit ratio 2:3:6 (higher ratio implies more credits).

The subinterface inherits the trust mode of the parent interface.

Before EOS Release 4.24.2F, shaping is supported only on L2 subinterfaces of which the parents are Ethernet interfaces, for example, Et1.1. Beginning with EOS Release 4.24.2F, shaping on L2 subinterface over a parent interface which is port-channel (for example, Po1.1), is supported.

Guaranteed Bandwidth

After configuring shaping on an L2 sub-interface, user can configure a guaranteed bandwidth (in Kbps or percent) on the subinterface using the bandwidth guaranteed command.
switch(config-if-Et1.1)# bandwidth guaranteed 10000000
switch(config-if-Et1.1)# bandwidth guaranteed percent 10

Policing

For policing to work on the L2 subinterface, you must switch to the QoS profile.

Example

switch(config)# hardware tcam
switch(config-hw-tcam)# system profile qos

Sample Policy-map Configuration:

switch(config)# ip access-list a1
switch(config-acl-a1)# statistics per-entry
switch(config-acl-a1)# 10 permit ip any any

switch(config)# class-map type qos match-any c1
switch(config-cmap-qos-c1)# match ip access-group a1

switch(config)# class-map type qos match-any c2
switch(config-cmap-qos-c2)# match vlan 100 0xfff

switch(config)# ipv6 access-list a1
switch(config-ipv6-acl-a1)# statistics per-entry
switch(config-ipv6-acl-a1)# 10 permit ipv6 any any

switch(config)# class-map type qos match-any c3
switch(config-cmap-qos-c3)# match ipv6 access-group a1

switch(config)# policy-map type quality-of-service p1
switch(config-pmap-quality-of-service-p1)# class c1
switch(config-pmap-quality-of-service-p1-c1)# police cir 10 Mbps bc 100000 bytes
    exit
exit
After you create an L2 subinterface, you can configure a policy-map on the sub-interface, similar to the following example.
switch(config-if-Et1.1)# service-policy type qos input p1

Interface Counters

To enable the hardware features for counting packets on L2 subinterfaces ingress and/or egress, use the hardware counter feature command, similar to the following example. In the example, subinterface layer2 is enabled for ingress then enabled for egress.

Example
switch(config)# hardware counter feature subinterface in layer2
switch(config)# hardware counter feature subinterface out layer2
To display the L2 subinterface counters, use the show interface counters command similar to the following example. In the example, subinterface et1.1 is configured to be displayed.
switch# show interfaces et1.1 counters

Port        InOctets      InPkts
Et1.1       0             0

Port         OutOctets    OutPkts
Et1.1        0             0
To clear all of the interface counters, use the clear counters command similar to the following example:
switch# clear counters
To learn counters for a specific L2 interface, use the clear counters command, and specify the L2 subinterface to clear, similar to the following example. In the example, L2 subinterface et1.1 is to be cleared.
switch# clear counters et1.1

Limitations

The following limitations apply to the Layer 2 subinterface feature:
  • A total of 256 Layer 2 subinterfaces with shaping are supported across the entire switch and they can be distributed across any number of Ethernet ports.
  • When a shape rate is configured on an L2 subinterface over a parent interface which is port-channel (example: Po1.1), traffic load-balancing is disabled and is directed to a selected port-channel member. Also, the bandwidth of the port-channel subinterface will be equal to the selected member. However, the show interface command continues to show the bandwidth of the port-channel which is incorrect.
  • After configuring a shape rate on an L2 subinterface, the L2 subinterface must be flapped by using the shut” and no shut commands.
  • Shaping of BUM traffic on L2 subinterfaces is supported only with “ingress replication”.
  • Layer 3 forwarding through SVIs is not supported.
  • Routing through the parent interface of a subinterface is not supported.
  • Control plane processing, such as IGMP snooping and STP BPDU is not supported.
  • When IGMP protocol packets are expected to be forwarded on L2 subinterfaces, then IGMP snooping must be disabled globally on the entire switch using the no ip igmp snooping command. When IGMP snooping is configured on any VLAN, then IGMP protocol packets are discarded by L2 subinterfaces.
  • Double tagged packets arriving on L2 subinterfaces with a single encapsulation dot1q vlan <outer_vid> command configured will match on the outer VLAN tag, and have only the outer VLAN tags terminated.
  • Configuration of double tagged L2 subinterfaces through the encapsulation dot1q vlan <outer_vid> inner <inner_vid> command is not supported.
  • Mixing of shaped and non-shaped subinterfaces under the same parent interface is not supported.
  • Traffic classification on ingress traffic to l2 subinterface is disabled by default. To enable this feature, configure using the qos trust cos command on the parent interface.
  • L2 subinterfaces are not supported in an MLAG environment.

QoS Show Commands

Use the show interfaces status command to display the subinterface status.

Example
switch# show interfaces status sub-interfaces
Port     Name   Status       Vlan     Duplex Speed  Type                Flags Encapsulation
Et1.1           connected    200      full   10G    dot1q-encapsulation       100
Et1.2           connected    200      full   10G    dot1q-encapsulation       101

Use the show vlan command to display the VLAN membership. In the following example, vlan 200 is configured to be displayed.

Example
switch# show vlan 200
VLAN  Name                 Status    Ports
----- ------------------- --------- -------------------
200   office               active    Et1.1, Et1.2, Et5

Use the show qos interface command to display the QoS configuration on an L2 subinterface. In the following example, QoS subinterface Ethernet 1.1 is configured to be displayed.

Example
switch# show qos interface Ethernet 1.1
Ethernet1.1:

   Trust Mode: DSCP
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: 50625 / 50000 kbps

Use the show interface counters with the queue keyword to display the L2 subinterface counters. For example subinterface Ethernet 1.1 is configured to display the L2 subinterface counters.

Example
switch# show interface Ethernet 1.1 counters queue
Aggregate VoQ Counters
Egress   Traffic   Pkts     Octets     DropPkts  DropOctets
Port     Class
------------------------------------------------------------
Et1.1    TC0-1      0        0          0         0
Et1.1    TC2-3      0        0          0         0
Et1.1    TC4-5      0        0          0         0
Et1.1    TC6-7      460266   276159600  109316    65589600

Use the show mac address-table command to display the MAC address on L2 subinterfaces. For example, subinterfaces Et1.1 and Et1.2 are configured to be displayed.

Example
switch# show mac address-table interface et1.1-2
          Mac Address Table
------------------------------------------------------------------

Vlan    Mac Address       Type        Ports      Moves   Last Move
----    -----------       ----        -----      -----   ---------
 200    0000.000a.000a    STATIC      Et1.1
 200    0000.000b.000b    DYNAMIC     Et1.2      1       0:00:16 ago
Total Mac Addresses for this criterion: 2