Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Control Queue Disable on a 10-port 10-Gigabit Ethernet LAN/WAN PIC

On a 10-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (model number PD-5-10XGE-SFPP), a control queue is used to queue all control packets received on an ingress port. This ensures that control protocol packets do not get dropped randomly when there is congestion due to oversubscription. The following control protocols are supported:

  • OSPF
  • OSPF3
  • VRRP
  • IGMP
  • RSVP
  • PIM
  • BGP
  • BFD
  • LDP
  • IS-IS
  • RIP
  • RIPV6
  • LACP
  • ARP
  • IPv6 NDP
  • Connectivity fault management (CFM)
  • Link fault management (LFM)

These control packets can either terminate locally or transit through the router. The control queue has a rate limiter to limit the control traffic to 2 Mbps (fixed, not user-configurable) per port. Hence, if transit control traffic is taking too much bandwidth, then it can cause drops on locally terminating control traffic, as shown in Figure 1.

Figure 1: Control Queue Rate Limiter Scenario

Control Queue Rate Limiter Scenario

If the end users generate a mass of malicious traffic for which the port number is 179 (BGP), the router dispatches that traffic to the ingress control queue. Further, if congestion occurs in this ingress control queue due to this malicious traffic, the provider's network control packets may be affected.

In some applications, this can be perceived as a new vulnerability. To address this concern, you can disable the control queue feature. With the control queue feature disabled, you must take precautions to protect control traffic through other means, such as mapping control packets (using BA classification) to a queue that is marked strict-high or is configured with a high CIR.

You can disable the control queue for all ports on the PIC. To disable the control queue, use the set chassis fpc n pic n no-pre-classifier command. By default, the no-pre-classifier statement is not configured and the control queue is operational.

Deleting the no-pre-classifier statement re-enables the control queue feature on all ports of the 10-Gigabit Ethernet LAN/WAN PIC.

  • This functionality is applicable both in OSE and line-rate modes.
  • The control queue feature is enabled by default in both OSE and line-rate modes, which can be overridden by the user configuration.
  • When the control queue is disabled, various show queue commands will show control queue in the output. However, all control queue counters are reported as zeros.
  • Changing this configuration (enabling or disabling the control queue feature) results in the PIC being taken offline and brought back online.

Once the control queue is disabled, the Layer 2/Layer 3 control packets are subject to queue selection based on BA classification. However, some control protocol packets will not be classified using BA classification, because they might not have a VLAN, MPLS, or IP header. These are:

  • Untagged ARP packets
  • Untagged Layer 2 control packets such as LACP or Ethernet OAM
  • Untagged IS-IS packets

When the control queue feature is disabled, untagged ARP, IS-IS, and other untagged Layer 2 control packets will go to the restricted queue corresponding to the forwarding class associated with queue 0, as shown in the following two examples.

Forwarding Untagged Layer2 Control Packets to Queue 3

With this configuration, the forwarding class (FC) associated with queue 0 is "be" (based on the forwarding-class statement configuration). "be" maps to restricted-queue number 3 (based on the "restricted-queue" configuration). Hence, with this particular configuration, untagged ARP, IS-IS, and other untagged Layer 2 control packets will go to ingress queue 3 (not to ingress queue 0).

[edit chassis]forwarding-classes {queue 0 be;queue 1 af-low8;queue 2 af-high;queue 3 ef;queue 4 ops_control;queue 5 net_control;queue 6 af-low10_12;}restricted-queues {forwarding-class ef queue-num 0;forwarding-class af-low8 queue-num 1;forwarding-class af-low10_12 queue-num 1;forwarding-class af-high queue-num 2;forwarding-class be queue-num 3;}

Forwarding Untagged Layer2 Control Packets to Queue 3

With this configuration, the FC associated with queue 0 is "ef" (based on the forwarding-class statement configuration). "ef" maps to restricted-queue number 0 (based on the restricted-queue statement configuration). Hence, with this particular configuration, untagged ARP, IS-IS, and other untagged Layer 2 control packets would go to ingress queue 0.

For tagged ARP, IS-IS, or Layer2 control packets, users should configure an explicit dot1p/dot1ad classifier to make sure these packets are directed to the correct queue. Without an explicit dot1p/dot1ad classifier, tagged ARP, IS-IS, or Layer 2 control packets will go to the restricted-queue corresponding to the forwarding class associated with queue 0.

[edit chassis]forwarding-classes {queue 0 ef; <<< ef and be are interchangedqueue 1 af-low8;queue 2 af-high;queue 3 be; <<< ef and be are interchangedqueue 4 ops_control;queue 5 net_control;queue 6 af-low10_12;}restricted-queues {forwarding-class ef queue-num 0;forwarding-class af-low8 queue-num 1;forwarding-class af-low10_12 queue-num 1;forwarding-class af-high queue-num 2;forwarding-class be queue-num 3;}
 

Related Documentation

 

Published: 2012-12-11

Previous Page Next Page