Review the following restrictions, limitations, and behavioral characteristics that are associated with Fabric Extend.
Fabric Extend supports the tunnel source IP address using a brouter port interface, a CLIP IP, or a VLAN IP.
For the 16-port and 24-port 5320 Series switches, you must configure a route-map policy to suppress IS-IS redistribution of the FE tunnel subnet:
Configure route-maps to not permit redistribution of the local route used as the tunnel source address (ip-tunnel-source-address command).
Configure an accept policy to deny IS-IS routes that overlap with the destination tunnel IP address.
With IS-IS interface default values, tunnel failure detection can take up to 27 seconds. You can reduce the IS-IS interface hello timers to speed up logical link failure detection, but be careful to avoid link flapping due to values that are too low.
Note
If the number of IS-IS interfaces on a node is greater than 100, it is a good practice to set the hello timer not lower than 5 seconds.
IP filters configured to match IP header fields in the headers of VXLAN encapsulated packets, work only when the switch acts as a transit router and does not participate in the initiation or termination of VXLAN traffic.
VLACP is not supported over logical IS-IS interfaces.
CFM Continuity Check Messages are not supported over logical IS-IS interfaces.
If CFM packets transit over a layer 3 tunnel (that is the CFM packets ingress a Fabric Extend layer 3 core tunnel and egress through another layer 3 core tunnel), the transit SPBM nodes do not display as intermediate hops in the output for CFM l2 traceroute and l2 tracemroute.
This is because the CFM packets are encapsulated in the outer layer 3 header as part of VXLAN encapsulation, and the transit SPBM nodes cannot look into the payload of the VXLAN packet and send a copy of the CFM packet to local CPU for processing.
CFM Layer 2 ping to MCoSPB source mac is not supported and can fail if they are reachable via Fabric Extend tunnel.
Switch-based MAC Security (MACsec) encryption is Layer 2 so it cannot be used with Fabric Extend IP, which is Layer 3.
Service provider Layer 2 connections must be at least 1544 bytes. In this type of deployment the tunnels are point-to-point VLAN connections that do not require VXLAN encapsulation. The default MTU value is 1950.
Layer 2 core and Layer 3 core logical IS-IS interfaces are not supported on the same switch at the same time.
There is no fragmentation and reassembly support in Layer 2 core solutions.
Layer 2 logical IS-IS interfaces are created using VLANs. Different Layer 2 network Service Providers can share the same VLAN as long as they use different ports or MLT IDs.
Service provider IP connections must be at least 1594 bytes to establish IS-IS adjacency over FE tunnels. The 1594 bytes includes the actual maximum frame size with MAC-in-MAC and VXLAN headers. If this required MTU size is not available, a log message reports that the IS-IS adjacency was not established. MTU cannot be auto-discovered over an IP tunnel so the tunnel MTU will not be automatically set. The default MTU value is 1950.
The tunnel destination IP cannot be reachable through an IP Shortcuts route.
Important
If you enable IP Shortcuts and you are using the GRT as the tunnel source VRF, you must configure an IS-IS accept policy or exclude route-map to ensure that tunnel destination IP addresses are not learned through IS-IS.
If you enable IP Shortcuts and you are using a VRF as the tunnel source VRF, this is not an issue.
The switch requires a single next hop (default gateway) for all tunnels.
Over a Layer 3 core network, on a given outgoing port or MLT, there is no issue as the one router next hop can support multiple VXLAN tunnels to one or more remote sites.
For Layer 3 tunneling over a Layer 2 core, the switch without any specific configuration supports only one Fabric Extend tunnel to one remote site. The workaround for this single next hop issue is to create an additional VRF, VLAN, and loopback interface.
You cannot establish a Virtual IST (vIST) session over a logical IS-IS interface. IST hellos cannot be processed or sent over a logical IS-IS interface if that is the only interface to reach BEBs in vIST pairs.
Assume that vIST is established over a regular network-to-network interface (NNI) and the NNI goes down. If the vIST pairs are reachable through a logical IS-IS interface, then the vIST session goes down in up to 240 seconds (based on the IST hold down timer). During this time, the error message IST packets cannot be sent over Fabric Extend tunnels, vist session may go down is logged.
Caution
Expect traffic loss when the vIST session is down or when the error message is being logged.
Port mirroring resources are limited to four ports simultaneously (where each mirroring direction counts as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic then all four mirroring ports are consumed.
Important
To enable any one of the preceding applications, you must have at least one free mirroring resource. If all four port mirroring resources are already in use, the switch displays a Resource not available error message when you try to enable the application.
Fabric Extend over IPsec is only supported on 5720 Series, 7520 Series, and 7720 Series using Fabric IPsec Gateway.
Only pre-shared authentication key IPsec parameters are user configurable. Other, third-party solutions are not configurable.
IKEv2 protocol key exchange only.
IPsec support is only added for Fabric Extend tunnels.
IPsec is not supported for regular Layer 3 routed packets.