Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
ASR9000/XR : Understanding ethernet filter strict
Since the ASR9000 implements a layer 2 environment via the EVC model, there are some differences as to how things work compared to regular IOS that implements the IEEE model.
When using Bridge-Domains in the ASR9000, we need to make sure that the traffic forwarded out of the EFP members has the correct vlan setting.
Since the EVC model does not imply tag rewrite and popping by default, you need to make sure that your tag rewrite configuration is correct.
In the easiest form, it makes the most sense to always pop all tags on the EFP's symmetrically such that the bridge domain internally sees untagged traffic. This is a requirement already for when the BD has a BVI interface. The BVI interface is not VLAN aware and needs to see untagged traffic.
Traffic eggressing out of other EFP's will get their respective tags applied again, normally, so that the have the right tags on the packet when packets are transmitted by the EFP. The "symmetric" keyword of the rewrite ingress tag command will take care of that.
However that behavior is NOT by default.
You might end up in the scenario that your traffic is sent out of an EFP with encap of vlan 20 as per configuration might see a tag of 10/100 if the ingress EFP has that vlan stack and not popping it.
The ethernet filter strict command will help in the prevention of packets with incorrect vlan tags from being transmitted out of EFPs.
This command is NOT on by default as it comes with a slight performance hit in terms of pps and if the configuration is properly done it is normally not necessary. In so many words this command protects against misconfigurations at the VLAN encapsulation of packets transmitted out of EFPs.
Packets that fail the strict filter have different drop reasons in the NP (see the NP drop counter article on the support forums for more detail).
Consider the following examples:
When we have 3 interfaces in a BD
Int e1.1 Encap dot1q 10
EFP2 Int e2.2 Encap dot1q 20
EFP3 Int e10.10 Encap dot1q 20
L2VPN configuration l2vpn bridge-domain foo Int e1.1 Int e2.2 Int e10.10
CASES: Then when a packet comes from int e10.10 and gets flooded... Where should this packet go to?
int e10.10? - no, because of “my packet rule” (split horizon)
int e2.2? - yes
int e1.1? - this would be possibly the most questionable one...
In 3 we would send out a packet with encap 20 out of a vlan 10 efp.
Filter strict will prevent that behavior.
It is of course proper behavior to do tag translations via the rewrite ingress tag rules.
DROPS related to strict filtering.
Here a few use cases and examples and drops one might see.
The drop rules for Layer2 pkt on the egress efp2 are (assume traffic from efp1 to efp2):
This check is done with or without “ethernet egress-filter strict”