Caution regarding the Use of 'tci-overwrite' on the N/S-Series

  • 1
  • 2
  • Article
  • Updated 4 years ago
  • (Edited)
Article ID: 11091 

Products
Matrix N-Series DFE
S-Series

Changes
Manually configured a policy profile so that tci-overwrite is enabled.
Used the policy profile for VLAN-tagged traffic.

Symptoms
The VLAN assignment unexpectedly changes.
Traffic entering the policy profile is apparently dropped.
Loss of connectivity.

The Priority assignment unexpectedly changes.

Cause
Within the 'set policy profile...' command, there is a parameter which controls permission for rewriting elements of the TOS byte, and for rewriting the Tag Control Information - essentially, Priority and VLAN - contained within the incoming 802.1Q Tag (5811).

This is:
 [tci-overwrite {enable | disable}]   Permit rewrite of the TOS byte and TCI fields?
A policy can by default affect both VLAN-untagged and VLAN-tagged traffic. Further, if tci-overwrite is enabled, a policy can potentially override the 802.1Q VLAN and/or 802.1P Priority present in incoming 802.1Q Tags, thereby overwriting the 802.1Q VLAN and/or 802.1P Priority used in outgoing 802.1Q Tags.

Caution!: If tci-overwrite is enabled, any 802.1Q-tagged traffic processed within the profile will lose all of its TCI content immediately following egress from the profile - unless that information is reinforced in some manner within the profile.

  • VLAN information will revert to the ingress port's Port VLAN Identifier (PVID) value ('set port vlan...'), which by default equals 1.

    Within a policy profile, a VLAN assignment may be set/reinforced by the use of a 'vlan  <vlan>' parameter within a matching non-admin classification rule, or in the absence of such a matching rule, by the use of a 'pvid-status enable pvid  <vlan>' "catch-all" parameter in the profile command.

  • Priority information will revert to the ingress port's Port Priority Identifier (PPID) value ('set port priority...'), which by default equals zero.

    Within a policy profile, a Priority assignment may be set/reinforced by the use of a 'cos  <cos>' parameter within a matching non-admin classification rule, or in the absence of such a matching rule, by the use of a 'cos-status enable cos  <cos>' "catch-all" parameter in the profile command. The cos assignment ties to a "class of service" not otherwise discussed herein.

Since VLAN loss is much more likely to be noticed than Priority loss, the remainder of this section discusses the VLAN element in more detail.

It is important to understand that when the two parameters 'pvid-status disable' (or 'pvid-status enable' with no actual pvid specification) and 'tci-overwrite enable' are used at the same time, instead the first command effectively functions as 'pvid-status enable pvid 4095'. That is, if a VLAN assignment is not applied via a matching non-admin rule, the ingress port's PVID VLAN ID will be assigned to the traffic in question. Be aware that there is no indication in the 'show policy profile' command that this is happening - but the result can be an unexpected change in VLAN assignment, leading to apparent traffic loss.

For example:
N7(su)->set policy profile 1 name test1 pvid-status disable
N7(su)->set policy profile 2 name test2 pvid-status disable tci-overwrite enable
N7(su)->set policy profile 3 name test3 pvid-status enable pvid 4095
N7(su)->set policy profile 4 name test4 pvid-status enable pvid 4095 tci-overwrite enable
N7(su)->show policy profile 1
Profile Index :1
Profile Name :test1
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 2
Profile Index :2
Profile Name :test2
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :enabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 3
Profile Index :3
Profile Name :test3
Row Status :active
Port VID Status :enabled
Port VID Override :4095
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 4
Profile Index :4
Profile Name :test4
Row Status :active
Port VID Status :enabled
Port VID Override :4095
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :enabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->
These policies are generally described as they will function.
The exception is profile #2, which effectively will function as...
Port VID Status         :enabled
Port VID Override :4095
Note that since Policy Manager generally uses 'pvid-status enable pvid 4095' (explicitly defaulting to the PVID VLAN ID if no VLAN classification rules are applied), this issue is primarily confined to instances of manual policy configuration.

Solution/Workaround
Functions as Designed (FAD).

When TCI Overwrite is enabled; the original VLAN Tag information is lost so must be re-established by either a policy rule, or by a default action within the policy profile, or otherwise by the ingress port's VLAN and/or Priority settings.

Either disable the tci-overwrite feature if it is not necessary to overwrite the TOS byte of any traffic or the VLAN/Priority of tagged traffic, or ensure that the VLAN and Priority are correctly assigned via one of the three above-stated methods.

One means of correctly re-establishing the 12 bits of VLAN information on a frame which was ingressed VLAN-tagged is to classify the frame based on VLAN (it is still present at this point), then for matching frames redundantly assign the same VLAN ID. For example, for a port which serves as an 802.1Q Trunk for VLANs 100 and 200, add these rules to the controlling policy profile index 1:
   set policy rule 1 vlantag 100 vlan 100
   set policy rule 1 vlantag 200 vlan 200

One means of correctly re-establishing the 3 bits of Priority information on a frame which was ingressed VLAN-tagged is to classify the frame based on Priority (it is still present at this point), then for matching frames redundantly assign the same Priority. For example, for the same 802.1Q Trunk port as outlined above, also add a separate rule for each of the incoming priorities that are potentially present (and differ from the PPID). Note that here we are assuming the default 'set cos...' settings in which the "cos" value equals the "priority" value:
   set policy rule 1 tci 0x00 mask 3 cos 0
   set policy rule 1 tci 0x20 mask 3 cos 1
   set policy rule 1 tci 0x40 mask 3 cos 2
   set policy rule 1 tci 0x60 mask 3 cos 3
   set policy rule 1 tci 0x80 mask 3 cos 4
   set policy rule 1 tci 0xa0 mask 3 cos 5
   set policy rule 1 tci 0xc0 mask 3 cos 6
   set policy rule 1 tci 0xe0 mask 3 cos 7
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 4 years ago

  • 1
  • 2

There are no replies.

This conversation is no longer open for comments or replies.