Caution regarding the Use of 'tci-overwrite' on the N/S-Series

FAQ_User — Fri, 02 May 2014 20:47:00 GMT

Article ID: 11091

Products
Matrix N-Series DFE
S-Series

Changes
Manually configured a policy profile so that

code:

tci-overwrite

is enabled.
Used the policy profile for VLAN-tagged traffic.

Symptoms
The VLAN assignment unexpectedly changes.
Traffic entering the policy profile is apparently dropped.
Loss of connectivity.

The Priority assignment unexpectedly changes.

Cause
Within the '

code:

set policy profile...

' command, there is a parameter which controls permission for rewriting elements of the TOS byte, and for rewriting the Tag Control Information - essentially, Priority and VLAN - contained within the incoming 802.1Q Tag (5811).

This is: [tci-overwrite {enable | disable}] Permit rewrite of the TOS byte and TCI fields?A policy can by default affect both VLAN-untagged and VLAN-tagged traffic. Further, if

code:

tci-overwrite

is enabled, a policy can potentially override the 802.1Q VLAN and/or 802.1P Priority present in incoming 802.1Q Tags, thereby overwriting the 802.1Q VLAN and/or 802.1P Priority used in outgoing 802.1Q Tags.

Caution!: If

code:

tci-overwrite

is enabled, any 802.1Q-tagged traffic processed within the profile will lose all of its TCI content immediately following egress from the profile - unless that information is reinforced in some manner within the profile.

set port vlan...

vlan

vlan

pvid-status enable pvid

vlan

set port priority...

cos

cos

cos-status enable cos

cos

cos

Since VLAN loss is much more likely to be noticed than Priority loss, the remainder of this section discusses the VLAN element in more detail.

It is important to understand that when the two parameters '

code:

pvid-status disable

' (or '

code:

pvid-status enable

' with no actual pvid specification) and '

code:

tci-overwrite enable

' are used at the same time, instead the first command effectively functions as '

code:

pvid-status enable pvid 4095

'. That is, if a VLAN assignment is not applied via a matching non-admin rule, the ingress port's PVID VLAN ID will be assigned to the traffic in question. Be aware that there is no indication in the '

code:

show policy profile

' command that this is happening - but the result can be an unexpected change in VLAN assignment, leading to apparent traffic loss.

For example:N7(su)->set policy profile 1 name test1 pvid-status disable
N7(su)->set policy profile 2 name test2 pvid-status disable tci-overwrite enable
N7(su)->set policy profile 3 name test3 pvid-status enable pvid 4095
N7(su)->set policy profile 4 name test4 pvid-status enable pvid 4095 tci-overwrite enable
N7(su)->show policy profile 1
Profile Index :1
Profile Name :test1
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 2
Profile Index :2
Profile Name :test2
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :enabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 3
Profile Index :3
Profile Name :test3
Row Status :active
Port VID Status :enabled
Port VID Override :4095
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->show policy profile 4
Profile Index :4
Profile Name :test4
Row Status :active
Port VID Status :enabled
Port VID Override :4095
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :enabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :none
Oper Profile Usage :none
Dynamic Profile Usage :none
N7(su)->These policies are generally described as they will function.
The exception is profile #2, which effectively will function as...Port VID Status :enabled
Port VID Override :4095Note that since Policy Manager generally uses '

code:

pvid-status enable pvid 4095

' (explicitly defaulting to the PVID VLAN ID if no VLAN classification rules are applied), this issue is primarily confined to instances of manual policy configuration.

Solution/Workaround
Functions as Designed (FAD).

When TCI Overwrite is enabled; the original VLAN Tag information is lost so must be re-established by either a policy rule, or by a default action within the policy profile, or otherwise by the ingress port's VLAN and/or Priority settings.

Either disable the

code:

tci-overwrite

feature if it is not necessary to overwrite the TOS byte of any traffic or the VLAN/Priority of tagged traffic, or ensure that the VLAN and Priority are correctly assigned via one of the three above-stated methods.

One means of correctly re-establishing the 12 bits of VLAN information on a frame which was ingressed VLAN-tagged is to classify the frame based on VLAN (it is still present at this point), then for matching frames redundantly assign the same VLAN ID. For example, for a port which serves as an 802.1Q Trunk for VLANs 100 and 200, add these rules to the controlling policy profile index 1:

code:

set policy rule 1 vlantag 100 vlan 100

code:

set policy rule 1 vlantag 200 vlan 200

One means of correctly re-establishing the 3 bits of Priority information on a frame which was ingressed VLAN-tagged is to classify the frame based on Priority (it is still present at this point), then for matching frames redundantly assign the same Priority. For example, for the same 802.1Q Trunk port as outlined above, also add a separate rule for each of the incoming priorities that are potentially present (and differ from the PPID). Note that here we are assuming the default '

code:

set cos...

' settings in which the "cos" value equals the "priority" value:

code:

set policy rule 1 tci 0x00 mask 3 cos 0

code:

set policy rule 1 tci 0x20 mask 3 cos 1

code:

set policy rule 1 tci 0x40 mask 3 cos 2

code:

set policy rule 1 tci 0x60 mask 3 cos 3

code:

set policy rule 1 tci 0x80 mask 3 cos 4

code:

set policy rule 1 tci 0xa0 mask 3 cos 5

code:

set policy rule 1 tci 0xc0 mask 3 cos 6

code:

set policy rule 1 tci 0xe0 mask 3 cos 7

topic Caution regarding the Use of 'tci-overwrite' on the N/S-Series in FAQs

Caution regarding the Use of 'tci-overwrite' on the N/S-Series