Guest

Preview Tool

Cisco Bug: CSCvt45899 - LPTS domain policer entries not matching for traffic from bundle interface on reload

Last Modified

Sep 24, 2020

Products (1)

  • Cisco Network Convergence System 6000 Series Routers

Known Affected Releases

7.2.1.BASE

Description (partial)

Symptom:
During config replay on reload/Bootup of Node(Line-cards or router), Bundle interface configured under the LPTS domain config is not getting applied/programmed to hardware (respective line-cards). 
This issue is intermittent and it's specific to Bundle interfaces which are configured under user defined domain. There is no impact on physical interaces.

Ex - Bundle-Ether9001 is configured under domain ACCESS config. 

lpts pifib hardware domain ACCESS
 interface Bundle-Ether9001  <<<
 interface TenGigE0/0/0/4/1
 interface HundredGigE0/0/0/14
!

Impact of this issue >>
The incoming packets received on the bundle interface will not be policed as per flow policer rate configured for user defined domain(ACCESS) and instead, Packets will be policed as per flow policer rate (default rate or user configured rate) configured under default domain(0-default). 
This is the issue.

Example - 
User has configured Bundle-Ether9001 under LPTS domain name ACCESS and also configured ICMP flow policer rates under domain ACCESS (see flow icmp * config below under domain ACCESS)
Now User is expecting Any ICMP packets received on this bundle interface must be policed as per ICMP policer rate configured under domain ACCESS. 

On boot up or reload, when this configs gets replayed, bundle interface programing to ACCESS domain in HW (respective line cards) is getting failed. 
Hence any ICMP incoming packet received on this interface won't be policed as per ICMP policer rate configued as per Domain ACCESS. This is the issue.

lpts pifib hardware domain ACCESS
 interface Bundle-Ether9001  <<<
 interface TenGigE0/0/0/4/1
 interface HundredGigE0/0/0/14
!

lpts pifib hardware police
 flow icmp local rate 0      << this policer rate configured for default domain
 flow icmp default rate 0   << this policer rate configured for default domain
 domain ACCESS  <<<
  flow fragment rate 1000
  flow bgp default rate 200
  flow icmp local rate 3000      <<< flow policer rate configured for domain ACCESS
  flow icmp default rate 2000    <<<
 !
!

user can refer - show lpts pifib hardware police location <LC node>  - to view the applied policer rates per flow (under default or user defined domain) on HW.

>>> To check whether the packets received on this bundle interface and policed as per domain policer rate, User is pinging to unreachable destination and unreachable ICMP packets are being received on this bundle interface.

[Before]
RP/0/RP0/CPU0:UEFI#sh lpts pifib hardware entry brief location 0/0/CPU0 | in UNREACH
Tue Mar 17 16:12:50.125 IST
IPv4 any                  any                  any                0     1    UNREACH      0      0    ICMP-default       Local LC     LOW      0      0        0-default  << 0 UNREACH packets received under default domain
IPv4 any                  any                  any                0     1    UNREACH      0      0    ICMP-default       Local LC     LOW      15045  0        1-ACCESS
IPv6 any                  any                  any                0     58   UNREACH      0      0    ICMP-default       Local LC     LOW      0      0        0-default
IPv6 any                  any                  any                0     58   UNREACH      0      0    ICMP-default       Local LC     LOW      0      0        1-ACCESS

[After]
ICMP Unreach packets are being received at be9001 are still being policed under default domain instead of ACCESS domain. This is the impact of this issue.

RP/0/RP0/CPU0:UEFI#sh interf be9001.11 | in input
Tue Mar 17 16:14:38.381 IST
  Last input 00:00:00, output 00:00:00
  5 minute input rate 0 bits/sec, 1 packets/sec
     17010 packets input, 21667762 bytes, 0 total input drops
RP/0/RP0/CPU0:UEFI#
RP/0/RP0/CPU0:UEFI#sh lpts pifib hardware entry brief location 0/0/CPU0 | in UNREACH
Tue Mar 17 16:14:43.063 IST
IPv4 any                  any                  any                0     1    UNREACH      0      0    ICMP-default       Local LC     LOW      9371   7602     0-default <<< ICMP Unreach packets are being received at be9001 are still being policed under default domain instead of ACCESS domain
IPv4 any                  any                  any                0     1    UNREACH      0      0    ICMP-default       Local LC     LOW      15045  0        1-ACCESS  << No change in stats under ACCESS domain for ICMP UNREACH packets
IPv6 any                  any                  any                0     58   UNREACH      0      0    ICMP-default       Local LC     LOW      0      0        0-default
IPv6 any                  any                  any                0     58   UNREACH      0      0    ICMP-default       Local LC     LOW      0      0        1-ACCESS

Conditions:
This issue is specific to Bundle interface which are configured under user defined LPTS domain.

lpts pifib hardware domain ACCESS  << user defined domain named ACCESS config
 interface Bundle-Ether9001  <<<
 interface TenGigE0/0/0/4/1
 interface HundredGigE0/0/0/14
!
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.