BDI CPU punt issue

Paheeradan Nagulan · ‎03-15-2025

Experts,

We have a Cisco 8300 router(C8300-1N1S-6T Chassis) that is configured with a BDI interface(gi0/0/1 and Gi0/0/2). Those two interfaces are connecting a VPC switch on the other side(Nexus 9k).

When the C8300 connects to one Nexus 9k, it is working fine. But when we brought the other leg up(the link to the other Nexus 9k) we saw this message.

"%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:002 TS:00037341582855160288 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from BDI2 src ip: x.x.x.x"
"%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:002 TS:00037341582855160288 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from BDI2 src ip: y.y.y.y"

Those x.x.x.x and y.y.y.y addresses are the SVI vlan 2 interface ip addresses

What could be cause of this?

Thanks

marce1000 · ‎03-16-2025

- Review this thread : https://community.cisco.com/t5/routing/punt-inject-5-drop-punt-cause/td-p/5005264

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Paheeradan Nagulan · ‎03-18-2025

Thanks @marce1000. Let me check it out.

M02@rt37 · ‎03-16-2025

Hello @Paheeradan Nagulan

Please share outputs, on both Nexus:

#show spanning-tree vlan 2

#show vpc brief

#show vpc consistency-parameters

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎03-16-2025

You're connecting two (same) BDI interfaces to a (same) vPC on a pair of Nexus? If so, wouldn't that logically be looping the vPC?

For the connecting to a (same) vPC, I would think you would want a port-channel on the router.

Paheeradan Nagulan · ‎03-18-2025

Hi @Joseph W. Doherty ,The interesting part is we have another c8200 that is connected to the same nexus 9k and it is working fine. So that's why we should this would be work. I thought in VPC, if the vpc gets a member frame via a peer-link, it wouldn't forward it through the other member port. So no looping would happen. I have to do a packet capture to see that!

Joseph W. Doherty · ‎03-18-2025

If the same exact setup is working on another 8200, I'm much more surprised it does, rather than the current attempt does not.

Basically, as far as I know, when using Etherchannel, both sides should be configured to use it.

What's the reason for using a BDI on the 8200 rather than a port-channel?

Also, using a BDI on a router, I would consider unusual. Some common risks in using usual solutions, those later maintaining the device are more likely to make mistakes due to lack of familiarity, the feature may not be as well optimized as more commonly used features and you're more likely to be the first to stub your toe on a bug.

BTW, I'm not saying using an unusual solution is "bad", just it should be recognized it may create additional risk.

Laugh, two true stories. In my first programmer job, I found what appeared to be a feature bug in the (mainframe manufacturer's) software I was using. I went through (the somewhat arduous) process to document the issue. A couple of months later, the "fix" came out. The "fix" was, the few manual pages documenting the feature were replaced with "This page left intentionally blank."

Years later I was using a brand new OS feature on an IBM mainframe. It got back to me, what I was doing crashed the mainframe (which as a user, was considered almost impossible to do).

When IBM first found the "root cause" of the crash, supposedly the comment was made "who the duck used this feature like this?!". IBM admitted they never considered using the feature as I was doing, but really no reason why you shouldn't. So the fixed it (and not with blank manual replacement pages).

Paheeradan Nagulan · ‎03-16-2025

Hi M02@rt37 ,

Po4 is the one that connects to the c9800 device. On R2, the link is down since we shut down on the 9800 side and R1 is the link is up.

Here is the output on R2

show spanning-tree vlan 2

VLAN0002
Spanning tree enabled protocol rstp
Root ID Priority 8194
Address 0023.04ee.be64
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8194 (priority 8192 sys-id-ext 2)
Address 0023.04ee.be64
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 1 128.4096 (vPC peer-link) Network P2p
Po3 Desg FWD 1 128.4098 (vPC) P2p
Po4 Desg FWD 1 128.4099 (vPC) P2p
Po14 Desg FWD 1 128.4109 (vPC) P2p
Po100 Desg FWD 1 128.4195 (vPC) P2p

CR01# show vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : secondary, operational primary
Number of vPCs configured : 15
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 150s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Enabled
Virtual-peerlink mode : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1 up 1-2,5-6,13-14,22-23,25,27-28,30-31,42-43,68,70,
79-80,100,117,120-122,124-126,135-136,150,154,156
,160,170,172,174-176,178,180,184-185,188,195,
198-201,203-208,214-215,220-224,244-249,255,277,
280,284,290,292,298,300-302,304,306,309,311-312,
314,316,319-321,325,330,335-338,366-373,399-400, ...

vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
2 Po2 down* success success -

3 Po3 up success success 2

4 Po4 up success success 2

5 Po5 up success success 1,79,154,156,170,
175-176,178,188,
198,200,277,1000
6 Po6 up success success 172,249,999-1000

8 Po8 down* Not Consistency Check Not -
Applicable Performed
9 Po9 down* Not Consistency Check Not -
Applicable Performed
12 Po12 up success success 1,5,30,120,125,309
,368-369,373,
430-433,435,551,
556,561,809
13 Po13 up success success 1,5,30,120,125,309
,368-369,373,
430-433,435,551,
556,561,809
14 Po14 up success success 2

15 Po15 up success success 13,80,154,248,277,
366-369,550-551,
555-556,560-561,
1255-1256
16 Po16 up success success 13,80,154,248,277,
366-369,550-551,
555-556,560-561,
1255-1256
20 Po20 up success success 1,5-6,13-14,22-23,
25,27-28,30-31,
42-43,68,70,79-80,
100,117,120-122,
124-126,135-136,
150,154,156,...,
21 Po21 down* success success -

100 Po100 up success success 1-2,5-6,13-14,
22-23,25,27-28,
30-31,42-43,68,70,
79-80,100,117,
120-122,124-126,
135-136,150,...,

Please check "show vpc consistency-parameters vpc <vpc-num>" for the
consistency reason of down vpc and for type-2 consistency reasons for
any vpc.

CR01# show vpc consistency-parameters global

Legend:
Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
STP MST Simulate PVST 1 Enabled Enabled
STP Port Type, Edge 1 Edge, Disabled, Edge, Disabled,
BPDUFilter, Edge BPDUGuard Enabled Enabled
STP MST Region Name 1 "" ""
STP Disabled 1 None None
STP Mode 1 Rapid-PVST Rapid-PVST
STP Bridge Assurance 1 Enabled Enabled
STP Loopguard 1 Disabled Disabled
STP MST Region Instance to 1
VLAN Mapping
STP MST Region Revision 1 0 0
Interface-vlan admin up 2 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,150,154,156,17 135-136,154,156,160,17
Interface-vlan routing 2 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
capability ,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,150,154,156,17 135-136,154,156,160,17
VTP password 2
VTP pruning status 2 Disabled Disabled
VTP version 2 1 1
VTP mode 2 Transparent Transparent
VTP domain 2
Xconnect Vlans 1
QoS (Cos) 2 ([0-7], [], [], [], ([0-7], [], [], [],
[], [], [], []) [], [], [], [])
Network QoS (MTU) 2 (9216, 9216, 9216, (9216, 9216, 9216,
9216, 9216, 9216, 9216, 9216, 9216,
9216, 9216) 9216, 9216)
Network Qos (Pause: 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
T->Enabled, F->Disabled) F) F)
Input Queuing (Bandwidth) 2 (0, 0, 0, 0, 0, 0, 0, (0, 0, 0, 0, 0, 0, 0,
0) 0)
Input Queuing (Absolute 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
Priority: T->Enabled, F) F)
F->Disabled)
Output Queuing (Bandwidth 2 (100, 0, 0, 0, 0, 0, (100, 0, 0, 0, 0, 0,
Remaining) 0, 0) 0, 0)
Output Queuing (Absolute 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
Priority: T->Enabled, T) T)
F->Disabled)
Allowed VLANs - 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,150,154,156, 135-136,150,154,156,
160,170,172,174-176, 160,170,172,174-176,
178,180,184-185,188, 178,180,184-185,188,
195,198-201,203-208, 195,198-201,203-208,
214-215,220-224, 214-215,220-224,
244-249,255,277,280, 244-24...55,277,280,
Local suspended VLANs - - -

----------------

Here is the output on R2

CR02# show spanning-tree vlan 2

VLAN0002
Spanning tree enabled protocol rstp
Root ID Priority 8194
Address 0023.04ee.be64
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8194 (priority 8192 sys-id-ext 2)
Address 0023.04ee.be64
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 1 128.4096 (vPC peer-link) Network P2p
Po3 Desg FWD 1 128.4098 (vPC) P2p
Po14 Desg BLK 1 128.4109 (vPC) P2p
Po100 Desg FWD 1 128.4195 (vPC) P2p
Eth1/18 Desg FWD 4 128.69 Edge P2p

---------
CR02# show vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : primary, operational secondary
Number of vPCs configured : 15
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 150s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Enabled
Virtual-peerlink mode : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1 up 1-2,5-6,13-14,22-23,25,27-28,30-31,42-43,68,70,
79-80,100,117,120-122,124-126,135-136,150,154,156
,160,170,172,174-176,178,180,184-185,188,195,
198-201,203-208,214-215,220-224,244-249,255,277,
280,284,290,292,298,300-302,304,306,309,311-312,
314,316,319-321,325,330,335-338,366-373,399-400, ...

vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
2 Po2 down* Not Consistency Check Not -
Applicable Performed
3 Po3 up success success 2

4 Po4 down* success success -

5 Po5 up success success 1,79,154,156,170,
175-176,178,188,
198,200,277,1000
6 Po6 up success success 172,249,999-1000

8 Po8 down* Not Consistency Check Not -
Applicable Performed
9 Po9 down* Not Consistency Check Not -
Applicable Performed
12 Po12 up success success 1,5,30,120,125,309
,368-369,373,
430-433,435,551,
556,561,809
13 Po13 up success success 1,5,30,120,125,309
,368-369,373,
430-433,435,551,
556,561,809
14 Po14 down* success success -

15 Po15 up success success 13,80,154,248,277,
366-369,550-551,
555-556,560-561,
1255-1256
16 Po16 up success success 13,80,154,248,277,
366-369,550-551,
555-556,560-561,
1255-1256
20 Po20 up success success 1,5-6,13-14,22-23,
25,27-28,30-31,
42-43,68,70,79-80,
100,117,120-122,
124-126,135-136,
150,154,156,...,
21 Po21 down* success success -

100 Po100 up success success 1-2,5-6,13-14,
22-23,25,27-28,
30-31,42-43,68,70,
79-80,100,117,
120-122,124-126,
135-136,150,...,

Please check "show vpc consistency-parameters vpc <vpc-num>" for the
consistency reason of down vpc and for type-2 consistency reasons for
any vpc.
====================================================
CR02# show vpc consistency-parameters global

Legend:
Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
STP MST Simulate PVST 1 Enabled Enabled
STP Port Type, Edge 1 Edge, Disabled, Edge, Disabled,
BPDUFilter, Edge BPDUGuard Enabled Enabled
STP MST Region Name 1 "" ""
STP Disabled 1 None None
STP Mode 1 Rapid-PVST Rapid-PVST
STP Bridge Assurance 1 Enabled Enabled
STP Loopguard 1 Disabled Disabled
STP MST Region Instance to 1
VLAN Mapping
STP MST Region Revision 1 0 0
Interface-vlan admin up 2 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,154,156,160,17 135-136,150,154,156,17
Interface-vlan routing 2 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
capability ,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,154,156,160,17 135-136,150,154,156,17
VTP password 2
VTP pruning status 2 Disabled Disabled
VTP version 2 1 1
VTP mode 2 Transparent Transparent
VTP domain 2
Xconnect Vlans 1
QoS (Cos) 2 ([0-7], [], [], [], ([0-7], [], [], [],
[], [], [], []) [], [], [], [])
Network QoS (MTU) 2 (9216, 9216, 9216, (9216, 9216, 9216,
9216, 9216, 9216, 9216, 9216, 9216,
9216, 9216) 9216, 9216)
Network Qos (Pause: 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
T->Enabled, F->Disabled) F) F)
Input Queuing (Bandwidth) 2 (0, 0, 0, 0, 0, 0, 0, (0, 0, 0, 0, 0, 0, 0,
0) 0)
Input Queuing (Absolute 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
Priority: T->Enabled, F) F)
F->Disabled)
Output Queuing (Bandwidth 2 (100, 0, 0, 0, 0, 0, (100, 0, 0, 0, 0, 0,
Remaining) 0, 0) 0, 0)
Output Queuing (Absolute 2 (F, F, F, F, F, F, F, (F, F, F, F, F, F, F,
Priority: T->Enabled, T) T)
F->Disabled)
Allowed VLANs - 1-2,5-6,13-14,22-23,25 1-2,5-6,13-14,22-23,25
,27-28,30-31,42-43,68, ,27-28,30-31,42-43,68,
70,79-80,100,117, 70,79-80,100,117,
120-122,124-126, 120-122,124-126,
135-136,150,154,156, 135-136,150,154,156,
160,170,172,174-176, 160,170,172,174-176,
178,180,184-185,188, 178,180,184-185,188,
195,198-201,203-208, 195,198-201,203-208,
214-215,220-224, 214-215,220-224,
244-249,255,277,280, 244-24...55,277,280,
Local suspended VLANs - - -

Giuseppe Larosa · ‎03-17-2025

Hello @Paheeradan Nagulan ,

I agree with @Joseph W. Doherty 's answer.

You should use a L2 or L3 portchannel on the Cat8200 side and not a BDI when connecting to a Nexus vPC the issue is that you are attempting to use the wrong feature ( IRB with BDI Bridge Domain Interface) in connecting to a vPC that is a port-channel emulated by two Nexus boxes working in a vPC pair.

The errors reported in the first post :

"%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:002 TS:00037341582855160288 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from BDI2 src ip: x.x.x.x"
"%IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:002 TS:00037341582855160288 %PUNT_INJECT-5-DROP_PUNT_CAUSE: punt policer drops packets, cause: for-us-ctrl (0x37) from BDI2 src ip: y.y.y.y"

These are likely caused by the attempt to bridge between the member interfaces of the bridge domain on the Cat8200.

Review your design using the white paper vPC supported design or best practices.

Hope to help

Giuseppe

Paheeradan Nagulan · ‎03-18-2025

Hi @Giuseppe Larosa , Yes, it makes sense. Let me read the Vpc white paper. The interesting part is we have another c8200 that is connected to the same nexus 9k and it is working fine. So that's why we should this would be work. Thanks for commenting! Appreciate it!