With L2 bridging, all packets being forwarded in a bridge domain (BD) is expected to have the same 1st VLAN tag (or no VLAN tag). This also applies to QinQ packets being forwarded in a service provider bridge where the top dot1ad tag is expected to have the same ID while the 2nd dot1q tag can be any value. Thus, putting dot1ad tags with different tag IDs on packets in the same BD is not a proper way to send packets in a provider bridge .
If packets are coming into a bridge domain with a VLAN tag, one would typically create a sub-interface match that of the VLAN tag and put the sub-interface in the BD. If you really want to mix packets with different VLAN tags in the bridge domain while limit L2 forwarding to the same VLAN tags only, one can put the efp-filter on a sub-interface in the BD so that it will drop packet output on a sub-interface if a packet’s top tag, including after VTR output operation if one exist, does not match that of the sub-interface. Again, this is not typical usage and an expensive way to do bridging because of the efp filtering and flooding in the BD to all sub-interfaces and rely on efp filter to drop packets with non-matching VLAN. It would be much more efficient to use a separate BD for sub-interfaces with the same VLAN tag ID. With Your VPLS setup, the MPLS tunnel connects user BDs and there isn’t really a provider bridge. Thus it does not make sense to be to push dot1ad provider bridge tag as it is not used for forwarding anyway. If you have users coming in with different VLAN tags into this BD but are supposed to bridge to each other irrespective of the VLAN tag IDs, typical set up will create a sub-interface for each VLAN tag ID, put these into the BD, and put a tag-rewrite operation of pop-1 on each sub-interface. Then packets will have their VLAN tag poped on input and forwarded in the BD and sent over VPLS tunnel with no VLAN tags. On output, the proper VLAN tag for each sub-interface will be pushed on each untagged packet before output. I hope my explanation help with how bridging is supposed to work, John From: Mehran Memarnejad <memarnejad...@gmail.com> Sent: Sunday, May 27, 2018 9:04 PM To: John Lo (loj) <l...@cisco.com> Cc: vpp-dev@lists.fd.io Subject: Re: dot1ad tag Does the efp-filter work base on the second tag?? As far as I experiment, I realized that each subinterface recieves packets with tags equal to their subinterface number, e.g. GigabitEthernet1/0/0.200 will receieves packets with inner tags(802.1q) of 200, which is customer' vlan tag. I think that I should not consider customer's 802.1q tag in PE. On Monday, May 28, 2018, Mehran Memarnejad <memarnejad...@gmail.com<mailto:memarnejad...@gmail.com>> wrote: Hi, According to Wikipedia's page for 802.1ad: "A tag stack creates a mechanism for Internet Service Providers<https://en.m.wikipedia.org/wiki/Internet_Service_Providers> to encapsulate customer single-tagged 802.1Q traffic with a single tag, the final frame being a QinQ frame. The outer tag is used to identify and segregate traffic from different customers; the inner tag is preserved from the original frame." Here I want to add the second tag to segregate customer's traffic. In other words, I want to consider each customer in PEs as if it is a vlan. So their traffic is isolated from each other, even though they are both connected to the same VPP's bridge. I think that to segregate customer's traffic, we can use: 1- Different VPP bridges for each customer 2- Use second tag (802.1ad tag) to differentiate customers when they are connected to the same VPP bridge. I don't know that is it a reasonable and common to connect two customers to the same VPP bridge?? But altogether, base on my understanding from Wikipedia's page on 802.1ad, in my scenario the traffics tagged 120 must not be recieved by the Interface with tag 200. Is that right?? On Monday, May 28, 2018, John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>> wrote: What you observed is the expected behavior. Adding such a check will add an overhead on l2-output with VTR configured and affect the packet forwarding efficiency. I still don’t understand the purpose of pushing dot1ad tag on packet at customer interface input in your VPLS test setup. It just make L2 forwarding slower because of the VLAN tag push/pop overhead on each packet and does not serve any purpose, AFAIK. -John From: Mehran Memarnejad <memarnejad...@gmail.com<mailto:memarnejad...@gmail.com>> Sent: Sunday, May 27, 2018 8:56 AM To: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: dot1ad tag Hi, The patch makes it work perfectly. Now the Second tag (SPtag) is removed. But I think there is another bug here. First scenario: PE1 : set interface l2 tag-rewrite GigabitEthernet5/0/0 push dot1ad 200 PE2 : set interface l2 tag-rewrite GigabitEthernet4/0/1 push dot1ad 200 Everything works perfect. the first PE adds the 802.1ad tag of 200 and the second PE removes it. Second scenario: PE1 : set interface l2 tag-rewrite GigabitEthernet5/0/0 push dot1ad 200 PE2 : set interface l2 tag-rewrite GigabitEthernet4/0/1 push dot1ad 120 I expect the second PE does not pass the packet, since its tag(120) is different from the received tag(200), (Or in other words they are in different service provider's vlan. Am I right?) But unfortunately, the second PE passes it. I think that the source code is just considering the number of tags, not the number of tags and their value. I think this is the bug. Am I right?? On Sun, May 27, 2018 at 5:18 PM, Mehran Memarnejad <memarnejad...@gmail.com<mailto:memarnejad...@gmail.com>> wrote: Hi, The patch makes it work perfectly. Now the Second tag (SPtag) is removed. But I think there is another bug here. First scenario: PE1 : set interface l2 tag-rewrite GigabitEthernet5/0/0 push dot1ad 200 PE2 : set interface l2 tag-rewrite GigabitEthernet4/0/1 push dot1ad 200 On Sat, May 26, 2018 at 5:51 AM, John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>> wrote: I just submitted a patch. Can you give it a try if this resolve the problem? -John https://gerrit.fd.io/r/#/c/12750/ From: Mehran Memarnejad <memarnejad...@gmail.com<mailto:memarnejad...@gmail.com>> Sent: Friday, May 25, 2018 1:24 PM To: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: dot1ad tag Without tag-rewrite configuration, everything works well. But I want to activate QinQ feature, so I need to add service provider tag (sp-tag) by using dot1ad tag. Any more idea to solve the problem?? On Friday, May 25, 2018, John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>> wrote: The tag-rewrite (VTR) configuration looks right. I looked at the l2_vtr_process() function in l2_vtr.h to check how it checks for errors. This is the error drop path: /* if not enough tags to pop then drop packet */ if (PREDICT_FALSE ((vnet_buffer (b0)->l2.l2_len - 12) < config->pop_bytes)) { return 1; } My guess is that interface-rx-dpo-l2 node did not setup l2_len field in the vnet buffer properly before passing the packet to l2-input node. That’s why tag-rewrite operation on l2-output node does not function properly. If you remove the tag rewrite config from these GigabitEthernet5/0/0 customer ports on both PEs, I suppose it should start to work. Any reason you want to have the additional dot1ad tag on the packets for forwarding in the BD and MPLS tunnel? Regards, John From: Mehran Memarnejad <memarnejad...@gmail.com<mailto:memarnejad...@gmail.com>> Sent: Friday, May 25, 2018 4:40 AM To: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: dot1ad tag Sw_if_index 6 is the mpls tunnel0 and sw_if_index 3 is the GigabitEthernet5/0/0 on which I have set interface tag-rewrite push dot1ad 12 .... (both of them are attached to bridge1) Gigabitethernet5/0/0 is the PE's interface toward customer, meaning that I guess if it does not drop the packet, VPLS will work. The packet is sent to the interface attached to bridge (gigabitethernet5/0/0) by mupls tunnel0. But then the packet drops. On Friday, May 25, 2018, John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>> wrote: Hi Mehran, The packet trace shows drop is cause by l2-output node when the packet is sent on the interface with sw_if_index 3 where the output tag-rewrite operation is not expecting packet with a dot1ad tag of 12. What is the interface with sw_if_index of 3 on that PE? Is this the same interface where you have tag-rewrite of “push dot1ad 12” applied? Can you provide the output of “show bridge 1 detail” (assuming bridge domain ID of 1 is used for bd_index 1, otherwise, substitute with the ID used) on that PE, please? The output will show all interfaces in the bridge domain with sw_if_index and tag-rewrite operation configured on each interface. Regards, John From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Mehran Memarnejad Sent: Thursday, May 24, 2018 8:12 AM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] dot1ad tag Hi, I have configured VPLS in VPP somehow like this link<https://lists.fd.io/g/vpp-dev/message/9112?p=,,,20,0,0,0::Created,,vpls,20,2,0,18122864>. In addition to the above configurations, I want to add a second vlan tag i.e. 802.1ad (QinQ). To achieve this, I entered following command in both PEs: "Set interface l2 tag-rewrite GigabitEthernet5/0/0 push dot1ad 12" Tracking what's going on, I found that the first PE adds the QinQ tag (12), but the second PE will not remove this tag and afterward it goes to error node with this message: "l2-output: L2 output tag rewrite drops" Here is what show trace shows in the second PE: Packet 1 00:31:10:348251: dpdk-input TenGigabitEthernet4/0/0 rx queue 0 buffer 0x21b6f: current data 14, length 114, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0 ext-hdr-valid l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 1, nb_segs 1, pkt_len 128 buf_len 2176, data_len 128, ol_flags 0x180, data_off 128, phys_addr 0x4ce6dc40 packet_type 0x1 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet MPLS: 00:25:90:97:fa:10 -> a0:36:9f:23:aa:78 label 60 exp 0, s 0, ttl 63 00:31:10:348260: mpls-input MPLS: next mpls-lookup[1] label 60 ttl 63 exp 0 00:31:10:348265: mpls-lookup MPLS: next [7], lookup fib index 0, LB index 23 hash 0 label 60 eos 0 00:31:10:348268: lookup-mpls-dst fib-index:0 hdr:[33:64:0:eos] load-balance:21 00:31:10:348270: interface-rx-dpo-l2 sw_if_index:6 00:31:10:348272: l2-input l2-input: sw_if_index 6 dst 30:85:a9:f2:23:12 src 3c:07:71:5f:2d:f5 00:31:10:348275: l2-learn l2-learn: sw_if_index 6 dst 30:85:a9:f2:23:12 src 3c:07:71:5f:2d:f5 bd_index 1 00:31:10:348277: l2-fwd l2-fwd: sw_if_index 6 dst 30:85:a9:f2:23:12 src 3c:07:71:5f:2d:f5 bd_index 1 00:31:10:348280: l2-output l2-output: sw_if_index 3 dst 30:85:a9:f2:23:12 src 3c:07:71:5f:2d:f5 data 88 a8 00 0c 81 00 00 06 08 00 45 00 00:31:10:348282: error-drop l2-output: L2 output tag rewrite drops Colors: Packet reception , MPLS tag handling, L2 handling, Error If you notice red underlined trace, 802.1ad tag 12 (in hex 0C) and 802.1q tag 6 (in hex 06) has been added to packet. I inspected the code in /src/vnet/l2/l2_vtr.h l2_vtr_process() function and /src/vnet/l2/l2_input.h vnet_update_l2_len() function, but I couldn't find any problem. MY QUESTION: Is it a bug in code that the 802.1ad tag is not removed?? Or should I have entered more commands? Thanks in advance
