on 05-09-2011 01:40 PM
Since the ASR9000 implements a layer 2 environment via the EVC model, there are some differences as to how things work compared to regular IOS that implements the IEEE model.
When using Bridge-Domains in the ASR9000, we need to make sure that the traffic forwarded out of the EFP members has the correct vlan setting.
Since the EVC model does not imply tag rewrite and popping by default, you need to make sure that your tag rewrite configuration is correct.
In the easiest form, it makes the most sense to always pop all tags on the EFP's symmetrically such that the bridge domain internally sees untagged traffic. This is a requirement already for when the BD has a BVI interface. The BVI interface is not VLAN aware and needs to see untagged traffic.
Traffic eggressing out of other EFP's will get their respective tags applied again, normally, so that the have the right tags on the packet when packets are transmitted by the EFP. The "symmetric" keyword of the rewrite ingress tag command will take care of that.
However that behavior is NOT by default.
You might end up in the scenario that your traffic is sent out of an EFP with encap of vlan 20 as per configuration might see a tag of 10/100 if the ingress EFP has that vlan stack and not popping it.
The ethernet filter strict command will help in the prevention of packets with incorrect vlan tags from being transmitted out of EFPs.
This command is NOT on by default as it comes with a slight performance hit in terms of pps and if the configuration is properly done it is normally not necessary. In so many words this command protects against misconfigurations at the VLAN encapsulation of packets transmitted out of EFPs.
Packets that fail the strict filter have different drop reasons in the NP (see the NP drop counter article on the support forums for more detail).
Consider the following examples:
Int e1.1
Encap dot1q 10
EFP2
Int e2.2
Encap dot1q 20
EFP3
Int e10.10
Encap dot1q 20
L2VPN configuration
l2vpn bridge-domain foo
Int e1.1
Int e2.2
Int e10.10
CASES:
Then when a packet comes from int e10.10 and gets flooded... Where should this packet go to?
Xander Thuijs, CCIE #6775
Sr. Tech Lead ASR9000
oh just to be clear: the filter strict cannot be applied to an untagged interface.
but the untagged CAN be put together in a bridge domain with a tagged interface.
this would merely mean that a packet with a vlan may get out of that main interface off that untagged EFP.
(unusual design/case though).
xander
i am having below config:
Int e1.1
Encap dot1q 10-200
EFP2
Int e2.2
Encap dot1q 10-200
EFP3
Int e10.10
Encap dot1q 20
L2VPN configuration
l2vpn bridge-domain foo
Int e1.1
Int e2.2
Int e10.10
1. Then when a packet comes from int e10.10 and gets flooded... Where should this packet go to?
2. How does it work when apply the filter ?
to prevent any unexpected behaviour you should use explicit encapsulation on attachment circuits and rewrite the tag on ingress. That way you will ensure that all devices in the bridge domain can communicate with each other (which you would expect to happen in a bridge domain). With or without the filter the communication between devices that use different encapsulation will be broken in your example.
hope this helps,
/Aleksandar
hi Aleksandar, thanks for reply.
we are having too many VLANs ( around 1k) to move to per vlan per bridge domain :(
BTW, if frame from vlan 20 is flood to vlan 10, what vlan does the frame retain ? vlan 10 or vlan 20 or both or untags ?
hi ty, you would see the situation from a main interface level. in your original EFP example, when EFP 1, Ethernet1 receives a vlan 20, it will MATCH the efp1 e1.1 interface (for stats and service application), which means based on the BD config it will go out as vlan 20 on E2 and E10. Accounted for on E2.2 and E10.10.
Now when there is a vlan 10, it matches e1.1, gets sent with vlan 10 out of e2 and accounted for on e2.2 and will get out e10 also, accounted for on the main interface.
So E10 will see a vlan 10 packet on the wire.
this is what ether filter strict will prevent since you dont have an explicit config covering a vlan 10 on e10.
xander
EFP1
Int e1.1
Encap dot1q 10-200
EFP2
Int e2.2
Encap dot1q 10-200
EFP3
Int e10.10
Encap dot1q 20
without explicitly configured tag rewrite, we don't change the dot1q tag on the frame. So if a frame with dot1q tag 10 is received on your EFP1, it should be sent out of int e2 and e10 with dot1q encap 10.
If you don't have a BVI in the bridge domain, you don't really need a rewrite.
Also, if all VLANs on a given physical interface are in the same bridge domain, you can configure the physical interface as l2transport, instead of creating sub-interfaces with VLAN range.
Hi all, thanks for reply.
So, it is a good practice to explicitly apply "Ether filter strict" on all EFPs ?
If i apply the filter to one EFP or many EFPs, any performance different ?
It is the same concept for IOS-XE like ASR920 ?
ideally you would have a BD per vlan. but if that is not possibly and you have overlapping vlan ranges on different trunk interfaces and you'd want to filter 'pruned' vlans from certain main interfaces when not configured, then use the filter strict.
xander
Hi Xander,
"Pruned VLAN" is (1) to manually filter VLAN per trunk or (2) using any pruned protocol like VTP ?
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: