12-09-2020 03:28 PM
Hi, I am having a weird problem I can not explain, and need your input to solve this mystery. I have a viptela vedge connected to a Juniper EX switch/router that is the gateway to Internet, this vEdge router has many inbound/outbound IPsec connections and worked just fine, today I need to enforce the stateless ACL rules for traffic going to EX switch's control plane (sam as IOS's control plane policing), the ACL will only affect the traffic going to the router's control plane CPU (Juniper calls it Routing Engine), it will not affect transit traffic coming into/going out Viptela vEdge. However after the change is made, vEdge reported that BFD over those IPsec tunnels are down therefore brought down those IPsec tunnels, I had to immediately roll back the change.
I can not make sense out of this behavior, does Viptela vEdge depend on some control traffic directly to its gateway device I might've missed?
Thanks,
12-10-2020 05:22 AM
By default BFD uses CS6 for marking. check with Juniper to see if this might get caught up in the control plane ACL. Even though the traffic is transit it may see that as "control" traffic and punt it.
12-10-2020 08:47 AM
Thanks for your reply, why would any device punt a packet based on QoS marking? regardless, BFD packets are encapsulated inside IPsec right? there is no BFD session running between Viptela and Juniper EX switch.
12-10-2020 08:58 AM
that's a great question. I have seen some odd behavior with packets marked cs6 before. It is not a common marking for transit packets. Typically cs6 is used for control packets or routing advertisements which are locally terminated. Your original question was what might be causing traffic to hit the control plane ACL. I was offering an idea given that this is an odd marking and could be misunderstood as a local control packet for some reason due to the marking.
Correct on the second part BFD is effectively between two edge routers and should be transparent to the router in between. it is just a transit UDP packet that is marked CS6.
12-10-2020 09:35 AM
Transit ESP packet or UDP packet?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide