Group-Interface/MLT with VLAN tagging: LACP base circuit assumes non-visible "logical-all" statement
Article ID: 168113
Updated On:
Products
XOS
Issue/Introduction
Group-Interface/MLT with VLAN tagging: LACP base circuit assumes non-visible "logical-all" statementThis inherent logical-all of the group-interface base circuit can pose potential problems for applications that rely on the use and proper receipt of broadcast or multicast packets on a specified interface (ie. Check Point state synchronization).
Cause
The following is an example of a misconfigured Cisco configuration related to Crossbeam configuration referenced below.
Port channel configuration
interface Port-channel12
description WAN-MLT
switchport
switchport access vlan 195
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 191,195 <-----accidentally tagging vlan 191
switchport mode trunk
no ip address
spanning-tree portfast
Within the following line of the XOS configuration, using the "wan" base circuit to establish LACP will automatically assume the "logical-all" statement, which is not visible within the CLI configuration.
...
mode multi-link circuit wan
...
As a reminder, the "logical-all" statement accepts all valid vlans ranging from 1-4094.
Crossbeam configuration:
[truncated for brevity]
....
vap-group fw xslinux_v3
vap-count 3
max-load-count 3
ap-list ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10
load-balance-vap-list 3
ip-forwarding
ip-flow-rule r65lb
action load-balance
timeout 30-seconds
activate
....
[truncated for brevity]
....
circuit wan circuit-id 1050
device-name wan
vap-group fw
....
[truncated for brevity]
....
circuit w_195 circuit-id 1051
device-name wan195
vap-group fw
default-egress-vlan-tag 195
ip 172.17.195.192/24 172.17.195.255
....
[truncated for brevity]
....
group-interface wan_group
interface-type gigabitethernet
mode multi-link circuit wan
interface 1/2
interface 2/2
logical l_195 ingress-vlan-tag 195 195
circuit w_195
Resolution
In the Crossbeam configuration referenced, the circuit "wan" is considered the base template circuit. This base circuit exchanges LACP BPDUs and is used to establish the LACP interface bundle to the adjacent, connected device.
It is important to note that if the adjacent switch has been misconfigured to trunk additional, undesired vlans within the LACP interface bundle connected to the Crossbeam X-series NPM, all related non-unicast IP tagged packets will be accepted by the base circuit and passed to the vap-group due to the implied "logical-all" configuration.
It is important to note that if the adjacent switch has been misconfigured to trunk additional, undesired vlans within the LACP interface bundle connected to the Crossbeam X-series NPM, all related non-unicast IP tagged packets will be accepted by the base circuit and passed to the vap-group due to the implied "logical-all" configuration.
Workaround
N/AFeedback
Powered by
