16

I'm seeing an issue with BFD on a link that's being policed egress where it appears during times where the policer is maxed BFD packets are not getting to the other side. I'm wondering if BFD hellos are subject to the policer or if they fall outside of the policer. If they are subject to a policer is it as simple as adding a match for DSCP CS6 and giving it priority? Below is the config:

interface GigabitEthernet1/1
 service-policy output 500meg
end

Router-1#sh policy-map 500meg
  Policy Map 500meg
    Class class-default
     police cir 500000000 bc 31250000 be 31250000
       conform-action transmit
       exceed-action drop
       violate-action drop
Craig Constantine
  • 4,972
  • 5
  • 36
  • 53
Mud
  • 335
  • 4
  • 9
  • 1
    What model of Cisco are you using? – Mike Pennington Sep 06 '13 at 01:12
  • @MikePennington 7606 w/WS-X6724-SFP – Mud Sep 06 '13 at 01:35
  • 3
    Your rationale is correct (For this platform, not for every platform). I would only give CS6 dedicated capacity, if I'd guarantee what is in CS6 and what is not. If I do not guarantee that, then you'd rather use ACL to match to BFD specifically. Having said that 7600 is not very good platform for aggressive BFD timers. I would shy away from more aggressive than 1s interval, 3 multiplier. – ytti Sep 06 '13 at 06:22
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. – Ron Maupin Jan 03 '21 at 02:11

3 Answers3

2

@Mud, you've pretty much got the answer to your question spread over several comments so I'm merely consolidating it here in a single answer.

On the 7600s/6500s you can filter BFD (control-plane traffic) at the interface level just like any other traffic (transit traffic passing through the device).

When you apply an ACL to a port on the line card its applied to all traffic on that interface. Traffic that needs to be process by the RSP or DFCs if you are using them needs to be punted there which is after the ACL is processed.

As a rule of thumb I have been including control-plane traffic in QoS policies of late, such as the following where "class NC" matches CS6 & CS7 only:

policy-map QoS-Example
 class NC
  bandwidth percent 2
 !
 class REALTIME
  police rate percent 10
   conform-action transmit
   exceed-action drop
  !
  priority level 1
 !
 class 1
  bandwidth percent 22
 !
 class 2
  bandwidth percent 24
 !
 class 3
  bandwidth percent 12
 ....... and so on

If you write a CoPP policy for your 7600s/6500s you need to write ACLs that match all your relevant kinds of control-plane traffic. So you can also match BFD traffic by matching traffic to/from UDP port 3784 (and lock that down further to your interface IP if possible).

As @ytti said you need to be wary of the BFD timers on your setup, if you haven't got DFCs your running BFD on the RSP/CPU power. In that case you might also want to look at tweaking you "process-max-time" global command and the process schedule "scheduler allocate xxx xxx".

The Cisco recommended minimum is bfd interval 100 min_rx 100 multiplier 3 but on some production boxes without DFCs I am actually running bfd interval 500 min_rx 500 multiplier 3 which has been fine, I think on the boxes with DFCs which I don't have access to right now I'm running the same.

You can see these references for more info, which cover BFD tuning and ACLs for control plane traffic (both CoPP and interface ACLs), and also some control-plane tuning that is generally good practice, also QoS behaviour with control-plane traffic:

http://www.cisco.com/c/en/us/td/docs/routers/7600/troubleshoot/guide/7600_Trouble_Shooting.pdf

http://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-2SR/configuration/guide/swcg/dos.html

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-congestion-management-queueing/18664-rtgupdates.html

jwbensley
  • 5,290
  • 7
  • 37
  • 79
1

Due to the critical nature of the BFD control packet, it does not go through the egress QoS policy-map on the way out, and is placed in the egress queue directly. Confirmed with TAC.

Subeh
  • 11
  • 1
-1

According to this cisco document "Users cannot, for example, filter or apply Quality of Service (QoS) to transmitted BFD packet". So I suppose those packets get the PAK_PRIORITY flag.

Marco Marzetti
  • 721
  • 5
  • 11
  • 2
    PAK_PRIORITY is used for expedited forwarding inside the router/chassis. It's not an external marking. BFD is data plane and needs to be marked/queued manually to give it better treatment. – Daniel Dib Sep 06 '13 at 09:13
  • @Daniel is right. I forgot to mention that PAK_PRIORITY is an internal flag and its behavior is system dependent. On C7600 such flagged packets are automatically marked with CoS6 and protected by any kind of QoS drops. So, even if you can bet tath the packets will be delivered, if you want an expedited-forwarding behavior you should define a dedicated queue. – Marco Marzetti Sep 06 '13 at 10:35
  • @MarcoMarzetti So for my own clarification: the cisco doc is referring to ingress BFD packets not being able to be QoS'd, and are still subject to an egress policer? – Mud Sep 07 '13 at 00:25
  • @Mud PAK_PRIORITY is an internal thing (i.e. not marked). _"Cisco IOS software also has an internal mechanism for granting internal priority to important control datagrams as they are processed within the router. This mechanism is called PAK_PRIORITY."_ – Ryan Foley Aug 06 '14 at 06:17