cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8043
Views
4
Helpful
24
Comments
xthuijs
Cisco Employee
Cisco Employee

Introduction

Since the ASR9000 implements a layer 2 environment via the EVC model, there are some differences as to how things work compared to regular IOS  that implements the IEEE model.            

Core Issue

When using Bridge-Domains in the ASR9000, we need to make sure that the traffic forwarded out of the EFP members has the correct vlan setting.

Since the EVC model does not imply tag rewrite and popping by default, you need to make sure that your tag rewrite configuration is correct.

In the easiest form, it makes the most sense to always pop all tags on the EFP's symmetrically such that the bridge domain internally sees untagged traffic. This is a requirement already for when the BD has a BVI interface. The BVI interface is not VLAN aware and needs to see untagged traffic.

Traffic eggressing out of other EFP's will get their respective tags applied again, normally, so that the have the right tags on the packet when packets are transmitted by the EFP. The "symmetric" keyword of the rewrite ingress tag command will take care of that.

However that behavior is NOT by default.

You might end up in the scenario that your traffic is sent out of an EFP with encap of vlan 20 as per configuration might see a tag of 10/100 if the ingress EFP has that vlan stack and not popping it.

Resolution

The ethernet filter strict command will help in the prevention of packets with incorrect vlan tags from being transmitted out of EFPs.

This command is NOT on by default as it comes with a slight performance hit in terms of pps and if the configuration is properly done it is normally not necessary. In so many words this command protects against misconfigurations at the VLAN encapsulation of packets transmitted out of EFPs.


Packets that fail the strict filter have different drop reasons in the NP (see the NP drop counter article on the support forums for more detail).

Examples

Consider the following examples:

When we have 3 interfaces in a BD

EFP1

Int e1.1
Encap dot1q 10

EFP2
Int e2.2
Encap dot1q 20

EFP3
Int e10.10
Encap dot1q 20

L2VPN configuration
l2vpn bridge-domain foo
Int e1.1
Int e2.2
Int e10.10

CASES:
Then when a packet comes from int e10.10 and gets flooded... Where should this packet go to?

  1. int      e10.10? - no, because of “my packet rule” (split horizon)
  2. int      e2.2? - yes
  3. int      e1.1? - this would be possibly the most questionable one...
In 3 we would send out a packet with encap 20 out of a vlan 10 efp.
Filter strict will prevent that behavior.

It is of course proper behavior to do tag translations via the rewrite ingress tag rules.


DROPS related to strict filtering.

Here a few use cases and examples and drops one might see.

The drop rules for Layer2 pkt on the egress efp2 are (assume traffic from efp1 to efp2):

1) num_tags
EGR_VLANOPS_DROP
This check is done with or without “ethernet egress-filter strict”
Efp1 encap untagged; efp2 encap 20 + rewrite push 30
Efp1 encap 10; efp2 encap 20,30 + rewrite trans 2-2

2) pre tags:
EGR_PREFILTER_VLAN_DROP
This check is done only when “Ethernet egress-filter strict” is configured
Efp1 encap 10; efp2 encap 20 + rewrite trans 1-1 vlan 30
Efp1 encap 10; efp2 encap 20 + rewrite push vlan 30

3) TCAM miss:
RESOLVE_EFP_FILTER_TCAM_MISS_DROP
This check is done only when “Ethernet egress-filter strict” is configured

Efp1 encap 10,20; efp2 encap 30 + rewrite push 10
Efp1 encap 10; efp2 encap untagged

4) uIDB miss match:
RESOLVE_EFP_FILTER_MISS_MATCH_DROP
This check is done only when “Ethernet egress-filter strict” is configured
Efp1 encap untagged; efp2 encap 10
Efp1 encap 10,20 + rewrite pop2; efp2 encap 30

Related Information

Understanding the EVC model

Xander Thuijs, CCIE #6775

Sr. Tech Lead ASR9000

Comments
xthuijs
Cisco Employee
Cisco Employee

oh just to be clear: the filter strict cannot be applied to an untagged interface.

but the untagged CAN be put together in a bridge domain with a tagged interface.

this would merely mean that a packet with a vlan may get out of that main interface off that untagged EFP.

(unusual design/case though).

xander

ty.chan007
Level 1
Level 1

i am having below config:

EFP1

Int e1.1
Encap dot1q 10-200

EFP2
Int e2.2
Encap dot1q 10-200

EFP3
Int e10.10
Encap dot1q 20

L2VPN configuration
l2vpn bridge-domain foo
Int e1.1
Int e2.2
Int e10.10

1. Then when a packet comes from int e10.10 and gets flooded... Where should this packet go to?

2. How does it work when apply the filter ?

Aleksandar Vidakovic
Cisco Employee
Cisco Employee

to prevent any unexpected behaviour you should use explicit encapsulation on attachment circuits and rewrite the tag on ingress. That way you will ensure that all devices in the bridge domain can communicate with each other (which you would expect to happen in a bridge domain). With or without the filter the communication between devices that use different encapsulation will be broken in your example.

hope this helps,

/Aleksandar

ty.chan007
Level 1
Level 1

hi Aleksandar, thanks for reply.

we are having too many VLANs ( around 1k) to move to per vlan per bridge domain :(

BTW, if frame from vlan 20 is flood to vlan 10, what vlan does the frame retain ? vlan 10 or vlan 20 or both or untags ?

xthuijs
Cisco Employee
Cisco Employee

hi ty, you would see the situation from a main interface level. in your original EFP example, when EFP 1, Ethernet1 receives a vlan 20, it will MATCH the efp1 e1.1 interface (for stats and service application), which means based on the BD config it will go out as vlan 20 on E2 and E10. Accounted for on E2.2 and E10.10.

Now when there is a vlan 10, it matches e1.1, gets sent with vlan 10 out of e2 and accounted for on e2.2 and will get out e10 also, accounted for on the main interface.

So E10 will see a vlan 10 packet on the wire.

this is what ether filter strict will prevent since you dont have an explicit config covering a vlan 10 on e10.

xander

EFP1

Int e1.1

Encap dot1q 10-200

EFP2

Int e2.2

Encap dot1q 10-200

EFP3

Int e10.10

Encap dot1q 20

Aleksandar Vidakovic
Cisco Employee
Cisco Employee

without explicitly configured tag rewrite, we don't change the dot1q tag on the frame. So if a frame with dot1q tag 10 is received on your EFP1, it should be sent out of int e2 and e10 with dot1q encap 10.

If you don't have a BVI in the bridge domain, you don't really need a rewrite.

Also, if all VLANs on a given physical interface are in the same bridge domain, you can configure the physical interface as l2transport, instead of creating sub-interfaces with VLAN range.

ty.chan007
Level 1
Level 1

Hi all, thanks for reply.

So, it is a good practice to explicitly apply "Ether filter strict" on all EFPs ?

If i apply the filter to one EFP or many EFPs, any performance different ? 

It is the same concept for IOS-XE like ASR920 ?

xthuijs
Cisco Employee
Cisco Employee

ideally you would have a BD per vlan. but if that is not possibly and you have overlapping vlan ranges on different trunk interfaces and you'd want to filter 'pruned' vlans from certain main interfaces when not configured, then use the filter strict.

xander

ty.chan007
Level 1
Level 1

Hi Xander,

"Pruned VLAN"  is (1) to manually filter VLAN per trunk or (2) using any pruned protocol like VTP ?

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links