Tech Note: ACI EPG Static Port Bindings — Never pick “untagged”

When you’re statically binding an EPG to a port, you have the option to choose one of three options. Here’s why you never want to never want to select Access (Untagged) and always want to pick either Access-802.1p or Trunk-Tagged.

Never pick “Mode: Access (Untagged)”!

Access (Untagged)

If this port were in NX-OS mode, the configuration would look like this:

interface eth1/1
 switchport mode access
 switchport access vlan 50

This mode simply sets the port to an access port, and sets the VLAN that’s associated with the port. There’s no encapsulation since it’s not a trunk port.

Access (802.1p)

interface eth1/1
 switchport mode trunk
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50

With an 802.1p access port, the port type is configured to trunk, but the native VLAN is the same as the port. In effect, is port configuration looks and feels to the end device the same as the Access-Untagged configuration, but the port mode is already in trunk.

Trunk (Tagged)

interface eth1/1
 switchport mode trunk
 switchport trunk allowed vlan 50

Once again, virtually the same configuration, except the allowed VLAN is tagged. The end host device has to be configured for that.

So what?

Here’s why you care: you don’t want to setup a port as an Access-Untagged port because if you ever need to change it (by adding additional EPGs to a static port), you’ll have to change the port type, and that’ll bounce traffic.

Even if you only have one EPG mapped to a port and you don’t need tagging, there’s no downside to setting the port to Access-802.1p, then you can always map more Trunk-Tagged EPGs in the future without any traffic interruption.