NCS5500 Hw-module Profiles

55 minutes read

  
2020-Feb-14Document Creation
2020-Mar-12Correction of the max-classmap-size description
2020-Apr-08Correction: HQoS not needed for ingress policer on sub-if
2020-Jul-31Add: hw-mod profile bw-threshold
2020-Aug-10Add: comment on the need to use UDK profile for packet-length match in ACL
2021-Apr-3Add: hw-mod profiles till 7.3.1, updated the support for J2 based platforms for exisiting profiles
2021-Sept-9Add: hw-mod profiles till 7.4.1, updated the support for J2 based platforms for exisiting profiles
2022-Jan-20Add: hw-mod profiles till 7.5.1
2023-May-16Add: Updated the support for J2 based platforms for existing profiles
2024-May-13Add: Modified the loadbalancing algo

You can find more content related to NCS5500 including routing memory management, URPF, ACLs, Netflow following this link.

This article is meant to be updated regularly, consider it a constant “work in progress”.

Introduction

During the 4 years of its existence, the NCS5500 has been used in a constantly growing number of network roles. The NCS 5500 resources (databases where we store prefixes, nexthop, counters, …) have been optimized to accommodate the specific requirements of these networking roles.
To enable these particular resource optimizations, we carved the memories in specific ways, via “hardware profiles”.

This document aims at listing all these options and clarify:

  • what they do and where they can be used
  • which platforms can use them
  • when they have been introduced
  • what are the side effects of enabling them, if any

If not specifically mentioned, consider that activation of a new hw-module config will require a system or line card reload.

Acknowledgements

Many thanks to:

  • Neelu Jethani
  • Jisu Bhattacharya
  • Vincent Ng
  • Anup Kumar Vasudevan
  • Rajeev Mishra
  • Aleksandar Vidakovic
  • Neeraj Garg
  • Riadh Habibi
  • Richard Poll
  • Tejas Lad
  • Angu Chakravarthy
  • Paban Sarma
  • Bala Murali Krishna Sanka
  • Deepak Balasubramanian
  • Gaddam Ravindher Reddy
  • Avinash Prabhu

Hardware Module CLI hierarchy

For this article, we use IOS XR 6.6.3, 7.0.2, 7.3.1, 7.4.1 . The document will be updated regularly.

Graphical view of the 6.6.3 structure

RP/0/RP0/CPU0:NCS5500-663#sh ver

Cisco IOS XR Software, Version 6.6.3
Copyright (c) 2013-2019 by Cisco Systems, Inc.

Build Information:
 Built By     : hlo
 Built On     : Fri Dec 13 17:40:12 PST 2019
 Built Host   : iox-lnx-029
 Workspace    : /auto/srcarchive15/prod/6.6.3/ncs5500/ws
 Version      : 6.6.3
 Location     : /opt/cisco/XR/packages/

cisco NCS-5500 () processor
System uptime is 2 weeks 6 days 14 hours 56 minutes

RP/0/RP0/CPU0:NCS5500-663#conf
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module ?
  fib               Forwarding table to configure
  oversubscription  Configure oversubscription
  profile           Configure profile.
  quad              Configure quad.
  route-stats       Configure multicast per-route statistics
  service           Configure service role.
  subslot           Configure subslot h/w module
  tcam              Configure profile for TCAM LC cards
  vrrpscale         to scale VRRP sessions
RP/0/RP0/CPU0:NCS5500-663(config)

hw-module-663.png

Graphical view of the 7.0.2 structure

RP/0/RP0/CPU0:NCS5500-702#sh ver
Cisco IOS XR Software, Version 7.0.2.18I
Copyright (c) 2013-2019 by Cisco Systems, Inc.

Build Information:
 Built By     : ahoang
 Built On     : Tue Nov 19 16:44:39 PST 2019
 Built Host   : iox-ucs-027
 Workspace    : /auto/iox-ucs-027-san2/prod/7.0.2.18I.SIT_IMAGE/ncs5500/ws
 Version      : 7.0.2.18I
 Location     : /opt/cisco/XR/packages/
 Label        : 7.0.2.18I

cisco NCS-5500 () processor
System uptime is 4 weeks 6 days 12 hours 8 minutes

RP/0/RP0/CPU0:NCS5500-702#conf
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module ?
  ains              Configure AINS Params
  fib               Forwarding table to configure
  oversubscription  Configure oversubscription
  port-range        Configure port range
  profile           Configure profile.
  quad              Configure quad.
  route-stats       Configure multicast per-route statistics
  service           Configure service role.
  shut              shutdown the hw-module
  stats-fpga        Configure h/w module
  subslot           Configure subslot h/w module
  tcam              Configure profile for TCAM LC cards
  unshut            Unshut the hw-module
  vrrpscale         to scale VRRP sessions
RP/0/RP0/CPU0:NCS5500-702(config)#

hw-module-702.png

Now, let’s review these profiles individually. We will define their role, the type of platforms using them, and potentially the conflicts with other profiles.

fib

dlb

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module fib dlb level-1 enable ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.57.20 PM.png

“Destination-based Load balancing” has been introduced in 6.6.2 and is completed in 7.1.1.
It’s another solution to address the 4K ECMP FEC limitation with software based pre-selection of the path. In this approach, one path out of available multipaths is selected based on software hash on destination IP before prefix is programmed in hardware. Data plane is programmed with selected single path. So traffic is virtually distributed on available paths by pre-selection of path based on per-prefix hash.
This profile enables DLB for IGP with LDP, IGP with SR, L2VPN PW over IGP, BGP LU over IGP, BGP L3VPN over IGP, TI-LFA/LFA/RLFA at IGP but not for IGP over SRTE nor BGP PIC Edge.

External documentation:

ipv4 / ipv6

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ?
  dlb   Destination Based Load balancing
  ipv4  Configure ipv4 protocol
  ipv6  Configure ipv6 protocol
  mpls  Configure mpls protocol
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv4 ?
  scale  Configure scale mode for no-TCAM card
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv4 scale ?
  host-optimized-disable  Configure Host optimization by default
  internet-optimized      Configure Intetrnet optimized
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv4 scale internet-optimized ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv4 scale host ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv6 ?
  scale  Configure scale mode for no-TCAM card
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv6 scale ?
  internet-optimized-disable  Configure by default Intetrnet optimized
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib ipv6 scale internet ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

01.png

These profiles will dictate how we distribute IPv4 and IPv6 prefixes in the different databases (LPM or LEM) depending on their prefix length. Not effective when using external TCAM.
They are mandatory if we need to store large routing tables (ie full internet view) and/or if want to configure URPF.

Default mode is “host-optimized” for IPv4 and “internet-optimized” for IPv6. This hardware profile is only relevant for systems/LC with the no eTCAM (“base” systems) using Jericho and “Jericho+ with Jericho-scale” (with the 256k-350k large LPM). It’s not recommended for NCS55A1-24H or NCS55A1-48Q-6H, based on a Jericho+ with large LPM (1M-1.5M v4 entries).

External documentation:

Note1: Please pay attention to the form of the command since it could lead to confusions: for IPv4 it’s internet-optimized while it’s internet-optimized-disable for IPv6.

Note2: This profiles are not applicable for J2 based systems.

mpls

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib mpls ?
  label  Configure MPLS label convergence optimization for LDP/SR labels
  ldp    Configure signalling protocol for MPLS
RP/0/RP0/CPU0:NCS5500-663(config)#

hw-module fib mpls ldp lsr-optimized

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib mpls ldp lsr-optimized ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

mpls ldp lsr-optimized.png

When using an MPLS network, you bind specific prefixes to labels for the IP-to-MPLS case, and also you bind ingress labels to egress labels for the LSR role (MPLS-to-MPLS case).
In the NCS5500, several resources are used to store this information. Among them, the FEC database is solicited. LEM and EEDB are also important in this discussion but we will try to simplify it to focus only on the FEC part.

When the destination of the packet is resolved via a single path, the information is stored in this 124k-entry large database. But when the destination is resolved via multiple equal cost paths (ECMP case), the information is stored in a sub-block of the FEC table named ECMP FEC.
This zone can accommodate 4k entries.

By default, the system will allocate 3 entries for each prefix bound to a label:

  • one for the IP to MPLS case
  • one for the MPLS to MPLS case
  • one for the case where the next hop is made of several paths, some with LDP, some others with IP-only (referred as EOS0/1 case, it’s usually a transcient situation). That reduces the overall number of prefixes associated to labels to 1,300 (you’ll find many places mentioning the supported number is 1,000).

When we position NCS5500 as a pure LSR role, the first and third allocation are not necessary. That’s the purpose of this hardware profile: extending the support to 3000+ prefixes bound to labels (with up to 16 way ECMP paths). This CLI enables creation of “Push/Swap” Shared MPLS encap i.e. same encap can be used for Label Push or Label Swap.

EVPN services are not supported with this profile.

Note1: in an IGP domain, only the router’s loopbacks need to be bound to labels. It’s a best practise to use filters to reduce the IGP to MPLS relationship.

Note2: This profiles is not supported for J2 based systems.

External documentation:

hw-module fib mpls label lsr-optimized

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib mpls ldp ?
  lsr-optimized  Configure optimization for LSR role
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module fib mpls label lsr-optimized ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

mpls label lsr-optimized 2.png

ECMP optimization for /32 prefixes - when all paths have same label, the common label stored in the LEM so we don’t have to consume EMCP FEC entries. In 6.5.x: no services could work with this profile (no L2VPN/L3VPN as the “transport” label won’t be pushed on the traffic). Starting from 7.1.1, L3VPN supported but no L2.

External documentation:

Note1: lsr-optimized mode was introduced in 6.5.x and was not supported on J+ w/ eTCAM systems initially, this limitation is removed starting from 7.1.1.

Note2: this profile can not be used with the internet-optimized.

Note3: This profiles are not supported for J2 based systems.

recycle

hw-module fib recycle service-over-rsvpte


RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib recycle ?
  service-over-rsvpte  Recycle traffic for BGP services going over RSVP TE
RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib recycle service-over-rsvpte ?
  -cr-  
RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib recycle service-over-rsvpte 
Wed Mar 31 23:10:12.063 PDT
In order to activate/deactivate recycling traffic for BGP services going over RSVP TE, you must manually reload the chassis/all line cards
RP/0/RP1/CPU0:5508-1-731(config)#

Screenshot 2021-04-03 at 11.58.02 AM.png

To enable L3 BGP services over NCS5500/5700 use hw-module profile hw-module fib recycle service-over-rsvpte”. Prior to this feature, BGP services (6PE, VPNv4) were not supported over LDPoRSVPTE on NCS5500. With introduction of this feature, in IOS-XR 7.3.1 on systems with J/J+ and IOS-XR 7.4.1 on J2-comp-mode this use cases is possible. The is achieved via recycle approach. In first pass, IGP local label and BGP label is added and then packet is recycled. Recycled packet is treated as regular IGP MPLSoRSVPTE packet in second pass. In second pass, IGP local label is swapped with IGP out label and then pushed RSVP TE label and packet is sent out. In order to activate/deactivate recycling traffic for BGP services going over RSVP TE, you must manually reload the chassis/all line cards

Note: Enabling this profile, packets meant for the TE tunnel gets recycled EVPN over LDPoTE is supported only on J/J+.

bgp-pic multipath

hw-module fib bgp-pic multipath-core enable


RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib bgp-pic multipath-core ?
  enable  Enable pic core in forwarding chain
RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib bgp-pic multipath-core enable ?
  -cr-  
RP/0/RP1/CPU0:5508-1-731(config)#hw-module fib bgp-pic multipath-core enable 
Thu Apr  1 02:49:14.402 PDT
In order to activate/deactivate bgp multipath pic core, you must manually reload the chassis/all line cards
RP/0/RP1/CPU0:5508-1-731(config)#

Screenshot 2021-04-03 at 11.59.58 AM.png

To avoid BGP prefix dependent convergence, when multiple ECMP paths are available via IGP, use the hw-module profile fib multipath-core enable. This helps in achieving sub second convergence. The BGP protocol will select more than 1 primary path as primary path set and 1 backup path for primary path set. It will install the primary and backup path pair in the RIB. FIB will replicate same backup path for all primary paths and program all path as a protected path. To disable the feature, need to use below CLI. After disabling the CLI router reload is recommended.“no hw-module fib bgp-pic multipath-core enable”.

Note: In order to activate/deactivate bgp multipath pic core, you must manually reload the chassis/all line cards.BGP LU level 1 is not supported. L3VPN/6PE/6VPE pic core multipath is not supported over igp

oversubscription

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize ?
  cos       CoS values between 0-5
  untagged  Prioritize untagged packets
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize cos ?
  0-5  configure CoS number 0-5
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize cos 0 ?
  interface  Interface name
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize cos 0 interface hu0/0/0/0 ?
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize untagged ?
  interface  Interface name
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize untagged interface hu0/0/0/0 ?
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module oversubscription prioritize untagged interface hu0/0/0/0

Screenshot 2021-04-03 at 12.39.43 PM.png

port-range

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range ?
  0-35  configure start port
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range 0 ?
  0-35  configure end port
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range 0 1 ?
  location  fully qualified location specification
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range 0 1 location 0/4/CPU0 ?
  mode  port mode 40-100, 400, 2x100, 4x10-4x25
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range 0 1 location 0/4/CPU0 mode ?
  WORD  port mode 40-100, 400, 2x100, 4x10-4x25
RP/0/RP0/CPU0:NCS5500-702(config)#

Feature introduced to assign port roles in NC57-18DD-SE line cards (Vigor-SE).

On NC57-18DD-SE line cards, the ports from 0 to 17 and 24-29 should be configured in pairs. They below to a same Reverse Gear Box / CDR5 cage that can handle up to 400Gbps. If the port n is 400G, the port n+1 is disabled. Default mode is 40-100.

RP/0/RP0/CPU0:NCS5500-702(config)#do sh int brief | i "(0/3/0/28|0/3/0/29)"
         Hu0/3/0/28  admin-down  admin-down               ARPA  1514  100000000
         Hu0/3/0/29  admin-down  admin-down               ARPA  1514  100000000
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module port-range 28 29 loc 0/3/CPU0 mode 400
RP/0/RP0/CPU0:NCS5500-702(config)#commit
LC/0/3/CPU0:Feb  2 22:37:54 : ifmgr[163]: %PKT_INFRA-LINK-3-UPDOWN : Interface HundredGigE0/3/0/29, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:54 : ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface HundredGigE0/3/0/29, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:54 : ifmgr[163]: %PKT_INFRA-LINK-3-UPDOWN : Interface HundredGigE0/3/0/28, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:54 : ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface HundredGigE0/3/0/28, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:56 : ifmgr[163]: %PKT_INFRA-LINK-5-CHANGED : Interface Optics0/3/0/28, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:56 : ifmgr[163]: %PKT_INFRA-LINK-3-UPDOWN : Interface FourHundredGigE0/3/0/28, changed state to Down
LC/0/3/CPU0:Feb  2 22:37:56 : ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface FourHundredGigE0/3/0/28, changed state to Down
RP/0/RP0/CPU0:Feb  2 22:37:57 : config[67778]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000037' to view the changes.
RP/0/RP0/CPU0:NCS5500-702(config)#do sh int brief | i "(0/3/0/28|0/3/0/29)"
         FH0/3/0/28        down        down               ARPA  1514  400000000
RP/0/RP0/CPU0:NCS5500-702(config)#

External documentation:

profile

acl egress

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile acl ?
  egress  egress acl
  ipv6    ipv6 protocol specific options
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile acl egress ?
  layer3  egress layer3 acl
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile acl egress layer3 ?
  interface-based  egress layer3 interface-based acl
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile acl egress layer3 interface-based ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

Introduced in IOS XR 6.1.4, this profile is specifically designed to enable L3 egress ACL over BVI.

Restrictions: Once this profile is enabled, it’s not possible to configure egress ACL over non-BVI interfaces (Physical included).

External documentation:

acl ingress

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ?
  egress   egress acl
  ingress  ingress acl
  ipv6     ipv6 protocol specific options
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ingress ?
  compress  Specify ACL compression in hardware
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ingress compress ?
  enable  Enable ACL compression in hardware
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ingress compress enable ?
  location  Location of acl config
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

acl ingress compress enable.png

Note: This profiles is applicable only for systems with etcam

acl ipv6

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ?
  egress   egress acl
  ingress  ingress acl
  ipv6     ipv6 protocol specific options
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ipv6 ?
  ext-header  ipv6 extension header related options
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ipv6 ext-header ?
  permit  allow permit of extension header packets
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile acl ipv6 ext-header permit ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

acl ipv6 ext-header permit.png

Feature available on 6.6.3 and 7.0.1.

In previous implementation, ipv6 header parser can’t identify next protocol properly when one or more extension headers are present. This means, if ipv6 extension header is present, it will not be able to apply security ACLs properly based on ip protocols and other L4 information like L4 ports, TCP flags etc.
When these extension headers are detected, these packets are sent to control plane CPU for further processing and applying the security ACLs. This mean, these packets will not be processed at full rate, which can be anything from 150Mpps to 835Mpps based on ASIC type, but only at 100 packets per sec. Any more packets of this type will be dropped.
This behavior of sending packet to CPU is enabled by default, but in case user wants to disable this special handling of extension headers, they can enable the hardware profile.
With this, they don’t have to insert permit rules in each ACLs. All the packets with extension headers will bypass security ACLs and will be permitted. This CLI can be configured or de-configured anytime during router operation and does not need any restart of system.

Note: Can be enabled and disabled without requiring a system reload.

External documentation:

bundle-scale

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile bundle-scale ?
  1024  Max 1024 trunks, Max 16 members
  256   Max 256 trunks, Max 64 members
  512   Max 512 trunks, Max 32 members
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

In IOS XR 6.5.1, we introduced this hardware profile to offer more flexibility in the distribution “number of bundles vs numbers of bundle members”. Some customers wanted more bundle interfaces with few ports or vice versa fewer bundle interfaces with more port members.

# BundlesMembers / Bundle
25664
51232
102416

Note: “hw-module profile qos max-trunks <256/512/1024>” is replaced by “hw-module profile bundle-scale <256/512/1024>” from 6.5.1 release onwards

External documentation:

bundle-hash

hw-module profile bundle-hash ignore-ingress-port


RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash ignore-ingress-port ?  
  -cr-  
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash ignore-ingress-port

Screenshot 2021-04-03 at 11.37.35 AM.png

This profile was introduced in IOS-XR 7.1.2. After enabling this profile ingress traffic port is removed from the hash-key computation. This results in different hash-key value gets computation. This alters the traffic distribution across the bundle members. This is a global CLI and applies to all Line cards and all bundles on the chassis. This profile doesn’t require a chassis or a LC reload.

hw-module profile bundle-hash per-packet-round-robin


RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash ?
  hash-index              configure which polynomial to use in bundle-hash
  ignore-ingress-port     Disable ingress port during bundle hash computation
  per-packet-round-robin  Enable per-packet round robin loadbalancing for all bundles in system
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash 
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash per-packet-round-robin ?
  -cr-  

Screenshot 2021-04-03 at 11.40.07 AM.png

This profile is introduced in IOS XR 7.3.1. Enabling this profile, bundles will start egressing traffic in a per-packet round robin manner across all members. This suppresses any internal load balancing algorithm and it becomes purely round robin. This is a global CLI and applies to all bundles across all locations/LCs.

Note: This profile doesn’t require a chassis or a LC reload. When per packet round robin mode is enabled, all bundle links will be equally used for egress. Hence, the bundle-hash CLI tool or ‘show cef exact-route’ command to predict the egress member link will not be of any use.

hw-module profile bundle-hash hash-index <> location <>


RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash hash-index ?           
  1   Use Polynomial value 0x8011
  10  Use LB-Key-Pkt-Data directly
  11  Use counter incremented every packet
  12  Use counter incremented every two clocks
  2   Use Polynomial value 0x8423
  3   Use Polynomial value 0x8101
  4   Use Polynomial value 0x84A1
  5   Use Polynomial value 0x9019
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash hash-index 10 ?
  location  Location of bundle-hash polynomial config
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash hash-index 10 location ?
  0/0/CPU0  Location of bundle-hash polynomial config
  0/3/CPU0  Location of bundle-hash polynomial config
  0/7/CPU0  Location of bundle-hash polynomial config
  WORD      Location of bundle-hash polynomial config
RP/0/RP1/CPU0:5508-1-731(config)#hw-module profile bundle-hash hash-index 10 location

Screenshot 2021-04-03 at 11.41.57 AM.png

This is the config to adjust the LAG load balancing algorithm by changing the hash polynomial used by ASIC. The router continues to use the existing 7-Tuples algorithm, but user can change the polynomial value used internally. This results in different load-balancing which may be better in some cases. This profile is per location or LC based. So the change is applicable only for traffic streams ingressing on that particular Line Card. Hash-key is calculated based on ingress LC. Hash-key value decides which bundle member will be selected for egress, irrespective of whichever LC bundle member belongs to. User can configure same hash-index on all LCs if desired.

Note: Any other hash-index is not valid or there are some internal limitations. Hence only CLI should be used to modify the hash-index and not via shell. Hash-indices 11 and 12 result in a per-pkt based distribution across bundle. So should be used with caution/after testing. This profile doesn’t require a chassis or a LC reload. When there are multiple NPU’s/ASIC’s on a LC, and hash index is configured on that location, that configuration gets applied to each NPU.

bw-threshold

RP/0/RP0/CPU0:5508-2-702(config)#hw-module profile bw-threshold ?
  WORD  value in percent: 0-100,in increments of 10
RP/0/RP0/CPU0:5508-2-702(config)#hw-module profile bw-threshold 20 ?
  cr
RP/0/RP0/CPU0:5508-2-702(config)

02.png

This feature allows the NPU to monitor of the number of fabric interfaces “up”.
When the fabric bandwidth falls below the configured bandwidth threshold on any one ASIC, the front panel interfaces on the line card are forced down, triggering a network re-convergence (through routing protocols). If we cross the threshold in the other direction, the front panel interfaces are brought back up again.
The “bring down threshold” is kept 2 fabric links per ASIC below the “bring up threshold”.

This algorithm does not apply to fixed systems where the fabric links are not connected.

Check “Set Fabric Bandwidth Threshold” in the installation guide:
https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/hardware-install/b-ncs5500-hardware-installation-guide/b-ncs5500-hardware-installation-guide_chapter_011.html

Note: This profile is not needed for J2 based systems.

flowspec

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile flowspec ?
  v6-enable  Configure support for v6 flowspec
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile flowspec v6-enable ?
  location  Location of flowspec config
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 2.31.43 PM.png

NCS 5500 supports BGP FlowSpec starting from IOS XR 6.5.1. Only the J+ platforms with eTCAM (-A-SE) are supporting this feature.

Details on the BGP FlowSpec implementation are available in this support forum post:
https://community.cisco.com/t5/service-providers-blogs/bgp-flowspec-implementation-on-ncs5500-platforms/ba-p/3387443

Once you enable this profile, due to the potentially very long key necessary to perform the matching part of the BGP FSv6 rule, it has been decided to reduce the PPS for the all data paths to 700MPPS (and not only IPv6 packets).

External documentation:

load-balance algo

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile load-balance algorithm ?
  L3-only                        L3 Header only Hash.
  PPPoE                          PPPoE session based optimized hash. Reload is required for this option
  gtp                            GTP optimized.
  gtp-mpls                       GTP over MPLS optimized hash.
  inner-l2-field                 Inner MAC based optimised hashing.
  ip-tunnel                      IP tunnel optimized.
  layer2                         Layer 2 optimized.
  mpls-lsr-ler                   MPLS lsr ler LB profile.
  mpls-lsr-ler-optimized         MPLS lsr ler LB profile optimized
  mpls-safe-speculative-parsing  MPLS safe Speculative parsing.
RP/0/RP0/CPU0:NCS5500-702(config)#
  • The headers which make the forwarding decision in a packet are called the forwarding headers. Further the forwarding header along with other headers can be used for the Hashing Decision.For example, in a packet format of ETHoIP:
    • In a L3 Network: content from the IP header is used and hence called the forwarding header.
    • In a L2 Network: content from the ETH header is used and hence called the forwarding header
  • The header following the forwarding header have been indicated as Fwd+1, Fwd+2 and so on in the document below.
  • In Cisco IOSXR Jericho routers by default
    • For ECMP: FWD and FWD+1 headers are taken into consideration.
    • For LAG: FWD, FWD+1 and FWD+2 headers are taken into consideration.
  • In J+ routers for both ECMP hash and LAG hash takes 3 headers i.e. Fwd, Fwd+1 and Fwd+2 for hash calculation.
  • Certain parameters for hash calculation are not dependent on the incoming packet but on the router.
    • For example, Input pp_port which represents the port on which packet is entering the router and Router_id which is the configured IPv4 loopback address of the router (If no IPv4 loopback is configured i.e. no loopback interface or only IPv6 loopback interfaces then chassis ID is used as a Router_id)
  • J/J+ provides the flexibility to choose from multiple profiles to satisfy the requirement of different deployment scenario. While on J2 no additional load balancing hw-module config is required
IndexProfile NameUse Case 
0DefaultPerforms default hashing operation as explained above. No h/w module knob needed to enable this. 
1layer2Optimized for Ethernet (Layer 2) based forwarding deployments. The profile also allows the hashing algorithm to be able to use the inner IP header information when doing layer 2 forwarding with inner payload is MPLS. 
2ip-tunnelSuitable for deployment of IP tunnel such as GRE and GUE. It allows the hashing algorithm to use the outer IPv4 GRE header even when doing an IP tunnel decapsulation. For GUE load balancing happens only on outer IP and Outer UDP header. The profile needs the router to be reloaded to enable this profile. 
3mpls-safe-speculative-parsingRecommended for P (core) nodes as it can look one header inside the forwarding MPLS. But in this case, if the first nibble of the MAC DA address is a 4 or 6, the rest of the packet could be interpreted incorrectly as IPv4 or IPv6 header. The profile was introduced in 6.5.3 
4gtpOptimized for GTP deployments as it allows hashing based upon the tunnel endpoint id in GTP-U packets. Hashing decision is based on IPv4/IPv6, UDP and Tunnel Endpoint (TE ID) The profile was introduced in 6.5.1 
5L3-OnlyL3 header only hash i.e. fields from IPv4 and IPv6 will be used. This profile will not make use of any L4 header for hashing. Recommended when majority of traffic is fragmented to guarantee the fragmented packets will take the same path. The profile was introduced in 7.4.1 
6gtp-mplsLike GTP this profile is optimized for GTP deployments with MPLS backbone. TE ID is taken into consideration instead of L4. The profile was introduced in 7.2.1 
7mpls-lsr-lerRecommended for Load balancing at Label Edge Router (LER) and Label Switched Routers (LSRs) with MPLS traffic and where there could be partial MPLS label termination that could lead to Errata flow (pop of the topmost label and lookup on the label underneath it). Recommended for below cases: 1) MPLS pop and lookup flows (EthoMPLS2/3oIPv4oL4) with L4 as TCP or UDP 2) MPLS pop and lookup flows (EthoMPLS2/3oIPv6oL4) with L4 as TCP or UDP The profile was introduced in 7.8.1. 
8mpls-lsr-ler-optimizedAdded optimizations above mpls-lsr-ler profile. Allows for optimized hashing in LER and LSR with MPLS IPv6 traffic Recommended for below cases: 1) MPLS pop and lookup flows (EthoMPLS2/3oIPv4) but no L4. 2) MPLS pop and lookup flows (EthoMPLS2/3oIPv4) but no L4. 3) EthoMPLS4+ labels packets for topmost label swap/pop. The profile was introduced in 7.10.1 
9pppoeProfile designed for head and tail node under ECMP and LAG based hashing scenario in J/J+ where inner IPv4/IPv6 header immediately after PPPoE header is taken consideration. A unique FAT label is allocated for this load-balancing to happen. The profile needs the router to be reloaded to enable this profile.The profile was introduced in 7.4.1 
9.1pppoe decap-fatbased-hashingSub-profile under pppoe similar with fat-based hash profile for pppoe packets which has been specifically recommended for tail node which would enable the use of FAT label and VC label which are terminating and hence not taken into hash tuple to be considered for hash calculation. The profile needs the router to be reloaded to enable this profile. 
10inner-L2-FieldAllows the hashing algorithm to use the inner ethernet fields like source MAC (SMAC) and destination MAC (DMAC) addresses for an EthoMPLSoEth kind of packets into consideration for hashing. By default, these fields are not taken. This knob is applicable to J2 as well. The profile was introduced in 7.7.1 on J2 and for J/J+ introduced in 24.1.2 
11fat-based-hashProfile recommended for L2VPN deployment with FAT configured on the disposition node. Enabling this profile ensures that FAT label is also included for hash computation. The profile needs the router to be reloaded to enable this profile. The profile was introduced in 24.3.1 

CLI’s that can affect the behaviour of load balancing are :

  • hw-module profile bundle-hash ignore-ingress-port:
  • Enabling this command removes ingress traffic port from the hash-key computation. This results in different hash-key value generation. This alters the traffic distribution across the bundle members. This is a global CLI and applies to all Line cards and all bundles on the chassis. This profile doesn’t require a chassis, or a LC reload.
  • hw-module profile bundle-hash hash-index Command supports the following hash-indices:
    • 1 Use Polynomial value 0x8011
    • 10 Use LB-Key-Pkt-Data directly
    • 11 Use counter incremented every packet
    • 12 Use counter incremented every two clocks
    • 2 Use Polynomial value 0x8423
    • 3 Use Polynomial value 0x8101
    • 4 Use Polynomial value 0x84A1
    • 5 Use Polynomial value 0x9019

This command is applicable only to the location or line card specified while configuring this command.

  • hw-module profile bundle-hash per-packet-round-robin
  • Enabling this profile, bundles will start egressing traffic in a per-packet round robin manner across all members. This suppresses any internal load balancing algorithm, and it becomes purely round robin. This is a global CLI and applies to all bundles across all locations/LCs.

netflow ipfix315-enable

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile netflow ?
  fpc-enable       Netflow full packet capture enable
  ipfix315-enable  IPFIX 315 enable
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile netflow ipfix315-enable ?
  location  Location of NETFLOW config
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

This hardware profile must be enabled prior to configure an exporter-map with version ipfix option 315 on a specific line card.

External documentation:

netflow fpc-enable

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile netflow ?
  fpc-enable       Netflow full packet capture enable
  ipfix315-enable  IPFIX 315 enable
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile netflow fpc-enable ?
  location  Location of NETFLOW config
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

This feature introduced in 7.0.1 enables the full packet capture mode, and is documented externally on https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/netflow/b-ncs5500-netflow-cli-reference/b-ncs5500-netflow-cli-reference_chapter_01.html#wp4044800456

Full MPLS+IP headers are displayed only for L3VPN. For L2VPN, the netflow code does not support any decoding from CW onwards (a XR netflow limitation, and not specific to NCS5500). The Netflow Full Packet Capture is required to capture non-IPoMPLS packets.

External documentation:

offload


RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile offload ?
  1  BFDv6 and Bsync
  2  BFDv6 and Route download
  3  Route download and Bsync
RP/0/RP0/CPU0:NCS5500-702(config)#

02.png

This profile, introduced in 6.6.1, enables the hardware offload of the IPv6 BFD for NCS5501-SE. Bsync here refers to the PTP (timing feature) capability. On NCS5501-SE, we can use two cores and we need to select between 3 options: Bsync, BFDv6 and the acceleration of the route download in the NL12k eTCAM. The problem doesn’t exist on other Jericho + NL12k eTCAM systems since they don’t support timing and doesn’t exist either on the Jericho+ systems since they use an OP eTCAM.
Option 1 is used by default. Not relevant for other platforms than NCS5501-SE.

Doesn’t work for Segment Routing (same as IPv4) and doesn’t support Explicit NULL. Only fixed values of timers can be used (3.3 msec, 10 msec, 100 msec, 1 sec, 10 sec).

External documentation:

Note: This profile is not needed for J2 based systems

oam

hw-module profile oam 48byte-cfm-maid-enable


RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile oam ?
  48byte-cfm-maid-enable  Enable 48byte cfm maid feature
  sat-enable              enable SAT feature
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile oam 48byte-cfm-maid-enable ?
  -cr-
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile oam 48byte-cfm-maid-enable
Thu Jan 20 09:55:51.661 UTC
In order to make the oam profile take effect, the router must be manually reloaded.

Screenshot 2022-01-20 at 3.40.30 PM.png

The NCS 5500 and NCS 5700 system has limited format support for MAID/MDID formats for hw-offloaded CFM session (<1 minutes). With introduction to this new hw-module profile, NCS 5700 fixed systems and modular boxes running in J2 native mode will support flexible format MDID/MAIDs for hardware offloaded MEPs. Activation of this mode needs the router to be reloated.

qos

Many options behind the qos profiles…

hw-module profile qos hqos-enable

Screenshot 2021-04-03 at 12.39.43 PM.png

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos ?
  bvi-l2qos-disable  Disable L2QOS on BVI interfaces
  hqos-enable        Enable Hierarchical QoS
  ingress-model      QoS model for ingress feature
  ipv6               Configure ipv6 protocol
  max-classmap-size  max class map size
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos hqos-enable ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

If you need to apply any kind of QoS policy on a sub-interface, it’s mandatory to enable this hardware profile. Even for simple shaper in egress L3 sub-if (note: you don’t need it for ingress shaper).
Of course, it’s also necessary if you need to apply hierarchical quality of service with parent/children structure.

Restrictions

  • HQoS profile and ingress peering profile do not work simultaneously. And hence, features requiring peering profile also do not work with HQoS profile enabled.
  • Starting from 6.5.1: Lawful Intercept no longer needs the peering profile and therefor can be used with HQoS profile
  • PBTS feature does not work when HQoS profile is enabled.
  • A maximum of 896 bundle sub-interfaces are only supported in the system even if there are no QoS policies applied. This is because of internal LAG_ID resource consumption in HQoS profile mode for bundle sub-interfaces with/without QoS policies being applied.
  • A maximum of 4 priority levels are only supported in HQoS profile mode unlike the default mode where 7-priority levels are supported. The restriction also applies to physical and bundle main interface policies where 7-level priorities were previously used in non-HQoS profile mode.

External documentation:
https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/qos/b-ncs5500-qos-cli-reference/b-ncs5500-qos-cli-reference_chapter_0100.html#wp2922716190

hw-module profile qos max-classmap-size

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos ?
  bvi-l2qos-disable  Disable L2QOS on BVI interfaces
  hqos-enable        Enable Hierarchical QoS
  ingress-model      QoS model for ingress feature
  ipv6               Configure ipv6 protocol
  max-classmap-size  max class map size
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos max-classmap-size ?
  16  Max 16 class-maps per policy
  32  Max 32 class-maps per policy
  4   Max 4 class-maps per policy
  8   Max 8 class-maps per policy
RP/0/RP0/CPU0:NCS5500-663(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

The max-classmap-size represents the maximum number of class-map we can use in policy-map. It has a direct impact on the number of L2 interfaces where you can apply QoS.

By default, class-maps are are configured to contain 32 match statements. With the 4096 available counters, it translates into a maximum of 256 L2 interfaces per NPU, 128 if used on bundle interfaces (with the default 2-counter mode we will detail below).

This hardware profile defines a different class-map size, offering higher scale for L2 interfaces with QoS:

Class-map SizeScale on bundle per NPUScale per NPU
410242000
85121024
16256512
32 (default)128256

External documentation:

hw-module profile qos ingress-model peering

06.png

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos ?
  bvi-l2qos-disable  Disable L2QOS on BVI interfaces
  hqos-enable        Enable Hierarchical QoS
  ingress-model      QoS model for ingress feature
  ipv6               Configure ipv6 protocol
  max-classmap-size  max class map size
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos ingress-model ?
  default  Default model for ingress QoS
  peering  Peering model for ingress QoS
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile qos ingress-model peering ?
  location  Location of QoS config
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

This profile allows hybrid ACLs to classify traffic and set a specific qos-group to it.
But instead of the traditional range supported by qos-groups (0 to 7), we can allocate a much larger range from 0 to 511.
This qos-group can be used as a match condition for the traffic in egress port.
With this extension from 8 to 512 values, we improve the granularity of the classification.

To disable this feature, use “no hw-module profile qos ingress-model peering” and NOT “hw-module profile qos ingress-model default”.

Note: HQoS profile and ingress peering profile do not work simultaneously: features requiring peering profile like LI also do not work with HQoS profile enabled.

Note2: L2 ACL will not work if qos peering is enabled on the line cards.

External documentation:

hw-module profile qos ipv6 short

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ?
  hqos-enable        Enable Hierarchical QoS
  ingress-model      QoS model for ingress feature
  ipv6               Configure ipv6 protocol
  max-classmap-size  max class map size
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ipv6 ?
  short               Configure ipv6 source short address tcam lookup
  short-l2qos-enable  Enable l2qos feature which requires to reduce ipv6 dest mask to 96 bits
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ipv6 short ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.39.43 PM.png

Introduced in IOS XR 6.5.1 for the support of the QPPB feature.
Only mandatory to apply it (and reload the line card) for IPv6, it’s not needed for IPv4 QPPB activation.

External documentation:

hw-module profile qos ipv6 short-l2qos-enable

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ?
  hqos-enable        Enable Hierarchical QoS
  ingress-model      QoS model for ingress feature
  ipv6               Configure ipv6 protocol
  max-classmap-size  max class map size
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ipv6 ?
  short               Configure ipv6 source short address tcam lookup
  short-l2qos-enable  Enable l2qos feature which requires to reduce ipv6 dest mask to 96 bits
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile qos ipv6 short-l2qos-enable ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

From CCO: “To enable classification of IPv6 packets based on (CoS, DEI) on L3 sub-interfaces, run the hw-module profile qos ipv6 short-l2qos-enable command in the XR Config mode.”
This profile, introduced in 7.1.1, replaces the “short” one and extends the support of the classification to the COS/DEI fields in the IPv6 headers, reducing the destination address to 96bits.

External documentation:

hw-module profile qos conform-aware-policer


RP/0/RP0/CPU0:IOS(config)#hw-module profile qos ?
  conform-aware-policer           Configure Conform Aware Policer mode
  hqos-enable                     Enable Hierarchical QoS
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  max-classmap-size               max class map size
  physical-hqos-enable            Enable Hierarchical QoS on physical interfaces
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in t
he same ingress QoS policy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos conform-aware-policer ?
  -cr-  
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos conform-aware-policer

Screenshot 2021-04-03 at 11.05.27 AM.png

To enable the conform-aware hierarchical policy feature use the hw-module profile qos conform-aware-policer command. It was introduced in release IOS-XR 7.2.1. Implementing the profile conform aware hierarchical policy, allows conform traffic from the child level policy to get priority over Exceed or Violate traffic at parent level policy. Prior to this profile, there was no way that conform traffic belonging to child policy was getting priority over the parent level policy. When this profile is enabled the entire system is put in color aware mode as compared to color blind mode by default. There is no effect on other features or resources.

Note: In order to activate this new npu profile, you must manually reload the chassis The support on J2 based platforms is only in native mode from release IOS XR 7.4.1

External documentation:

hw-module profile qos shared-policer-per-class-stats


RP/0/RP0/CPU0:IOS(config)#hw-module profile qos ?
  conform-aware-policer           Configure Conform Aware Policer mode
  hqos-enable                     Enable Hierarchical QoS
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  max-classmap-size               max class map size
  physical-hqos-enable            Enable Hierarchical QoS on physical interfaces
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in t
he same ingress QoS policy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos shared-policer-per-class-stats ?
  -cr-  
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos shared-policer-per-class-stats

This profile was introduced in IOS-XR 7.2.1. Implementing this profile, will provide an option for token bucket sharing among two or more classes. Prior to this, there was no way to share a policer token bucket among two or more class. This token sharing depends on the incoming traffic rate, so there is no guarantee that both c1 and c2 will get equal share. However, if c2 doesn’t have any traffic, then all the bandwidth will be used by c1. This CLI will need system reload to enable the feature. The stats for each class will be available separately. In Shared Policer feature Per-Class Mode, policer bucket will be shared among two or more classes. It will also allow individual class statistics rather than aggregated statistics. Without enabling this feature as well the shared policer will work with respect to token bucket sharing, however the stats will be available only as aggregate stats, and not per individual class stats.

Note: In order to activate this new npu profile, you must manually reload the chassis The support on J2 based platforms is only in native mode from release IOS XR 7.4.1 Policy based tunnel selection (PBTS) is disabled when we enable this profile

External documentation:

hw-module profile qos wred-stats-enable


RP/0/RP0/CPU0:IOS(config)#hw-module profile qos wred-stats-enable
  -cr-  
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos shared-policer-per-class-stats

Screenshot 2021-04-03 at 11.18.57 AM.png

WRED-stats accounting feature on NCS5700 platform will be introduced from IOS-XR 7.4.1. WRED stats will be supported on systems based on J2 with OP2 TCAM only in native mode. Statistics like WRED FWD, WRED Drop count will be available for all the discard-class 0,1,2. WRED stats can be used as an indication of network congestion bottleneck and network planning can be done accordingly.

Note:In order to activate this new npu profile, you must manually reload the chassis The support is only on J2 platforms with e-tcam in native mode from release IOS XR 7.4.1

hw-module profile qos qosg-dscp-mark-enable


RP/0/RP0/CPU0:IOS(config)#hw-module profile qos ?
  conform-aware-policer           Configure Conform Aware Policer mode
  hqos-enable                     Enable Hierarchical QoS
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  max-classmap-size               max class map size
  physical-hqos-enable            Enable Hierarchical QoS on physical interfaces
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in t
he same ingress QoS policy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos qosg-dscp-mark-enable 10 ?
  0-63  Second DSCP/Precedence value
  -cr-    
RP/0/RP0/CPU0:IOS(config)#hw-module profile qos qosg-dscp-mark-enable 10

Screenshot 2021-04-03 at 11.22.42 AM.png

To set the qos-group and DSCP values within the same QoS policy that is applied in the ingress direction, use the hw-module profile qos qosg-dscp-mark-enable command. This profile was introduced in IOS-XR 7.1.2. With the use of this profile, we can configure a single ingress policy with both set dscp/precedence and set qos-group at the same time. We can configure set dscp or prec and set qos-group under the same policy-map but not inside the same class map in a policy map. In order to activate this new npu profile, you must manually reload the chassis

External documentation:

hw-module profile qos ecn-marking-stats


RP/0/RP0/CPU0:ios#con t
Fri Mar 26 10:35:10.739 UTC
RP/0/RP0/CPU0:ios(config)#hw-module profile qos ?
  conform-aware-policer           Configure Conform Aware Policer mode
  ecn-marking-stats               Enable ECN marking stats mode
  hqos-enable                     Enable Hierarchical QoS
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  max-classmap-size               max class map size
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in the same ingress QoS policy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
  wred-stats-enable               Enable Wred egress stats
RP/0/RP0/CPU0:ios(config)#hw-module profile qos ecn-marking-stats 
Fri Mar 26 10:35:20.004 UTC
In order to activate this profile, you must manually reload the chassis/all line cards

Screenshot 2021-04-03 at 11.24.40 AM.png

This profile helps to enable the counters for ECN marked packets when the packet is going out of the node. It was introduced in release IOS-XR 7.3.2. ECN feature is enabled by default in the system. But counters for ECN marked packets is not enabled due to stats resource limitation. When this hw-module is enabled, we enable rules in hardware to count ECN marked packets during congestion in the system.

In order to activate this new npu profile, you must manually reload the chassis With this profile enabled, Egress IPv4 and IPv6 ACL will not work due to PMF resource limitation in egress.

Note: In order to activate this new npu profile, you must manually reload the chassis With this profile enabled, Egress IPv4 and IPv6 ACL will not work due to PMF resource limitation in egress.

hw-module profile qos l2-match-dest-addr-v4v6


RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile qos ?
  arp-isis-priority-enable        Prioritize ISIS and ARP packets
  conform-aware-policer           Configure Conform Aware Policer mode
  ecn-marking-stats               Enable ECN marking stats mode
  hqos-enable                     Enable Hierarchical QoS on physical and sub-interfaces
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  l2-match-dest-addr-v4v6         Enable l2qos match on ipv4/ipv6 destination address
  max-classmap-size               max class map size
  physical-hqos-enable            Enable Hierarchical QoS only on physical interfaces, and not on sub-interfaces
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in the same ingress QoS po
licy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
  wred-stats-enable               Enable Wred egress stats

RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile qos l2-match-dest-addr-v4v6
Thu Jan 20 09:52:48.156 UTC
In order to activate this profile, you must manually reload the chassis/all line cards

Screenshot 2022-01-20 at 3.30.57 PM.png

Prior to 7.5.1 there is no option to match IPv4/v6 destination addresses for QoS classification on l2transport interface. With introduction to this profile , QoS classification can be done based on destination address even on l2transport interface/sub interface. activation of this profile needs the router to be reloaded. A new match criterion “match destination-address” is also introduced along with the hw-module profile.


RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#class-map l2-dest
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#match destination-address ipv4 ?
  A.B.C.D/prefix  IP prefix -network/length-
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#match destination-address ipv4 100.1.1.1/24 ?
  -cr-
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#match destination-address ipv4 100.1.1.1/24
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#match destination-address ipv6 ?
  X:X::X/0-128  IPV6 address with prefix and mask
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#match destination-address ipv6 2001::1/128
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config-cmap)#show configuration
Thu Jan 20 09:54:11.276 UTC
Building configuration...
!! IOS XR Configuration 7.5.1
!
class-map match-any l2-dest
 match destination-address ipv4 100.1.1.1 255.255.255.0
 match destination-address ipv6 2001::1/128
 end-class-map
!
end

hw-module profile qos arp-isis-priority-enable


RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile qos ?
  arp-isis-priority-enable        Prioritize ISIS and ARP packets
  conform-aware-policer           Configure Conform Aware Policer mode
  ecn-marking-stats               Enable ECN marking stats mode
  hqos-enable                     Enable Hierarchical QoS on physical and sub-interfaces
  ingress-model                   QoS model for ingress feature
  ipv6                            Configure ipv6 protocol
  l2-match-dest-addr-v4v6         Enable l2qos match on ipv4/ipv6 destination address
  max-classmap-size               max class map size
  physical-hqos-enable            Enable Hierarchical QoS only on physical interfaces, and not on sub-interfaces
  qosg-dscp-mark-enable           Enable both 'set qos-group' and 'set dscp/precedence' actions in the same ingress QoS po
licy
  shared-policer-per-class-stats  Enable shared policer (per class stats) mode
  wred-stats-enable               Enable Wred egress stats
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile qos arp-isis-priority-enable ?
  -cr-
RP/0/RP0/CPU0:N57B1-1-Vega-II5-57(config)#hw-module profile qos arp-isis-priority-enable
Thu Jan 20 09:51:01.244 UTC
In order to activate this profile, you must manually reload the chassis/all line cards

Screenshot 2022-01-20 at 3.30.57 PM.png

This feature gives an option to assign the highest priority (TC7) to Integrated Intermediate System-to-Intermediate System (IS-IS) and Address Resolution Protocol (ARP) packets in transit. This feature is disabled by default. The feature provides more flexibility in transit traffic management on a per-hop basis and also fine-tunes the traffic profile management for transit traffic.

enabling native mode

hw-module profile npu native-mode-enable


RP/0/RP0/CPU0:IOS(config)#hw-module profile npu ?
  native-mode-enable  Enable NPUs to operate in native mode
RP/0/RP0/CPU0:T-2006(config)#hw-module profile npu

RP/0/RP0/CPU0:ios#config
RP/0/RP0/CPU0:ios(config)#hw-module profile npu native-mode-enable
In order to activate this new npu profile, you must manually reload the chassis
RP/0/RP0/CPU0:ios(config)#commit
RP/0/RP0/CPU0:ios(config)

native.png

J2 based systems can operate in 2 modes: Compatible Mode—Used when the chassis contains combination of Cisco NC57 and older generation line cards. This is the default mode. Native Mode—Used when the chassis contains only Cisco NC57 line cards.

This hw-module profile is introduced in IOS-XR 7.2.1. For operating a modular chassis with J2 based Line cards in full capacity we need to enable this profile. Jericho and Jericho+ based LC’s present in the chassis should be shut down from admin mode before reload or removed from the chassis. The forwarding behavior will be broken and can be unpredictable if the system will not be able to shut them down properly. To enable the native mode, use the hw-module profile npu native-mode-enable command in the configuration mode. Reload of the router will be needed to switch to native mode. The fixed chassis based on J2 chipset will operate by default in native mode only.

External documentation: -https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/vpn/72x/b-l2vpn-cg-ncs5500-72x/configure-gigabit-ethernet-for-layer-2-VPNs.html

segment-routing srv6

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile segment-routing ?
  srv6  Configure support for SRv6 and its paramaters
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile segment-routing srv6 ?
  encapsulation  Configure encapsulation parameters
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile segment-routing srv6 encapsulation ?
  traffic-class  Control traffic-class field on IPv6 header
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile segment-routing srv6 encapsulation traffic-class ?
  -0x0-0xff-  Traffic-class value (specified as 2 hexadecimal nibbles)
  propagate   Propagate traffic-class from incoming packet/frame
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile segment-routing srv6 encapsulation traffic-class propagate ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

SRV6.png

This profile is required to enable Segment Routing v6. We can define a static TC value or copy it from the payload.

Note: The encapsulation option is deprecated in 7.4.1 as NCS 5500 will support both SRv6 base and SRv6 uSID modes. Therefore SRv6 related hardware command will follow hw-module profile segment-routing srv6 mode <> and are described below

hw-module profile segment-routing srv6 mode base


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 ?
  encapsulation  Configure encapsulation parameters (DEPRECATED)
  mode           Mode of operation
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode ?
  base           Base SRv6 (Format-1) support only
  micro-segment  Micro-segment support only

RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base ?
  encapsulation  Configure encapsulation parameters
  -cr-
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base
Thu Sep  9 06:23:24.077 UTC
In order to activate/deactivate this srv6 profile, you must manually reload the chassis/all line cards

J-Jp-only-Global.png

This hw-module mode enables Segment Routing v6 (SRv6) on the node using base SRH format.

A reload of the chassis is needed to configure/change any SRv6 related hw-module profile.

hw-module profile segment-routing srv6 mode base encapsulation


 RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation ?
  traffic-class  Control traffic-class field on IPv6 header
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation traffic-class ?
  -0x0-0xff-  Traffic-class value (specified as 2 hexadecimal nibbles)
  propagate   Propagate traffic-class from incoming packet/frame
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation traffic-class 0xe0
 

 RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation ?
  traffic-class  Control traffic-class field on IPv6 header
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation traffic-class ?
  -0x0-0xff-  Traffic-class value (specified as 2 hexadecimal nibbles)
  propagate   Propagate traffic-class from incoming packet/frame
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6 mode base encapsulation traffic-class propagate
 

J-Jp-only-Global.png

The encapsulation option followed by the base SRH format decides the QoS bits for the SRv6 header. The TC value on the IPv6 header can be either set explicitly to any value in the range of 0x00-0xff . This value is global for all the SRv6 services that starts on the box. When configured with propagate, QoS marking of the incoming payload is propagated to the SRv6 TC marking. For L3VPN IP Precedence is copied to the SRv6 header IPv6 precedence. For L2VPN the Layer 2 PCP markings are copied to the SRv6 Precedence.

A reload of the chassis is needed to configure/change any SRv6 related hw-module profile.

hw-module profile segment-routing srv6 mode micro-segment format f3216


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment ?
  format  Specify carrier format
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format ?
  f3216  32-bit block and 16-bit IDs
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format f3216 ?
  encapsulation  Configure encapsulation parameters
  -cr-
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format f3216
Wed Aug 25 22:58:12.659 PDT
In order to activate/deactivate this srv6 profile, you must manually reload the chassis/all line cards
   

J-Jp-only-Global.png

Introdcued in IOS XR 7.3.1/7.4.1. with this hw-module profile enables SRv6 uSID instead of base SRH format on the node. A reload of the chassis is needed to configure/change any SRv6 related hw-module profile.

hw-module profile segment-routing srv6 mode micro-segment format f3216 encapsulation


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format f3216  encapsulation ?
  traffic-class  Control traffic-class field on IPv6 header
RP/0/RP1/CPU0:5508-1-741C(config)#$ode micro-segment format f3216  encapsulation traffic-class ?
  -0x0-0xff-  Traffic-class value (specified as 2 hexadecimal nibbles)
  propagate   Propagate traffic-class from incoming packet/frame
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format f3216  encapsulation traffic-class 0xe0
Wed Aug 25 23:01:54.477 PDT
In order to activate/deactivate this srv6 profile, you must manually reload the chassis/all line cards
  

RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile segment-routing srv6  mode micro-segment format f3216  encapsulation traffic-class propagate
Wed Aug 25 23:01:59.065 PDT
In order to activate/deactivate this srv6 profile, you must manually reload the chassis/all line cards
  

J-Jp-only-Global.png

The encapsulation option followed by the micro-segment mode decides the QoS bits for the SRv6 header. The TC value on the IPv6 header can be either set explicitly to any value in the range of 0x00-0xff . This value is global for all the SRv6 services on the box. When configured with propagate, QoS marking of the incoming payload is propagated to the SRv6 TC marking. For L3VPN IP Precedence is copied to the SRv6 header IPv6 precedence. For L2VPN the Layer 2 PCP markings are copied to the SRv6 Precedence. A reload of the chassis is needed to configure/change any SRv6 related hw-module profile.

External documentation:

sr-policy

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile sr-policy ?
  V6-Null-label-autopush  Configure IPV6 NULL label autopush for SR policy
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile sr-policy V6-Null-label-autopush ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

02.png

This profiles enables the V6 null label autopush over SR-policy. DSCP preserve would be disabled.
This profile is not supported with 6VPE (v6 null label would be pushed rather than 6vpe label).
With this feature, we can use up to 12 labels for v6 too.

stats

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats ?
  acl-permit         Enable ACL permit stats.
  enh-sr-policy      Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr         Enable ingress SR stats profile counter.
  qos-enhanced       Enable enhanced QoS stats.
  tx-scale-enhanced  Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-702(config)#

Enabling one of these profiles will disable any other previously applied.

stats acl-permit

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats ?
  acl-permit         Enable ACL permit stats.
  enh-sr-policy      Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr         Enable ingress SR stats profile counter.
  qos-enhanced       Enable enhanced QoS stats.
  tx-scale-enhanced  Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats acl-permit ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

stats acl permit .png

By default, access-lists don’t count permit ACE hits but only the deny ones.
It could be very important to track the packets permitted, for example when using ABF (ACL Based Forwarding).
This profile allocates statistic entries to permit ACEs.

If acl-permit is configured, qos-enhanced or other options are disabled. To return to the default mode, use “no hw-module…” and reload.

External documentation:

Note: This profiles is not needed for J2 based systems.

stats ingress-sr

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats ?
  acl-permit         Enable ACL permit stats.
  enh-sr-policy      Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr         Enable ingress SR stats profile counter.
  qos-enhanced       Enable enhanced QoS stats.
  tx-scale-enhanced  Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats ingress-sr ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

stats ingress-sr.png

Profile enabling per-label statistics at “ingress” for Segment Routing labels (only for the labels within configured SRGB and SRLB). Once activated, QoS Stats will not work for the same labeled packets.

stats enh-sr-policy

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile stats ?
  acl-permit         Enable ACL permit stats.
  egress-stats-scale  Enable Egress Stats_Scale profile counter.
  enh-sr-policy      Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr         Enable ingress SR stats profile counter.
  qos-enhanced       Enable enhanced QoS stats.
  tx-scale-enhanced  Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile stats enh-sr-policy ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

Screenshot 2021-04-03 at 12.57.20 PM.png

Profile increasing the counters available in the egress pipeline from 16K (default) to 24K. These counters are taken from the ingress pipeline, impacting the scale for ACL/QOS/LPTS/etc.
This command also enables ingress SR counters. QoS stats are disabled while enabling this particular stats profile. Higher egress stats: upto 16K stats available for MPLS cases like RSVP-TE and SR-TE, 4K for ARP/ND and 4K for L2-AC’s.

stats qos-enhanced

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats ?
  acl-permit         Enable ACL permit stats.
  enh-sr-policy      Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr         Enable ingress SR stats profile counter.
  qos-enhanced       Enable enhanced QoS stats.
  tx-scale-enhanced  Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats qos-enhanced ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 1.40.07 PM.png

By default, we only use two counters for policers.
This profile enables the 4-counter mode:

  • In 2-counter mode, statistics for “confirm” and “violate” packets are collected in hardware and displayed to the user via the “show policy-map” command
Class C1
  Classification statistics          (packets/bytes)     (rate - kbps)
    Matched             :            52198655/6681427840           13
    Transmitted         :             6138929/785782912            1
    Total Dropped       :            46059726/5895644928           12
  Policing statistics                (packets/bytes)     (rate - kbps)
    Policed(conform)    :             6138929/785782912            1
    Policed(exceed)     :                      0/0                      0
    Policed(violate)    :            46059726/5895644928           12
    Policed and dropped :            46059726/5895644928     
  • In 4-counter mode, additionally “exceed” packets statistics are collected and displayed.
Class C1
  Classification statistics          (packets/bytes)     (rate - kbps)
    Matched             :            52198655/6681427840           13
    Transmitted         :             6138929/785782912            1
    Total Dropped       :            46059726/5895644928           12
  Policing statistics                (packets/bytes)     (rate - kbps)
    Policed(conform)    :             6138929/785782912            1
    Policed(exceed)     :                11326/1449728              0
    Policed(violate)    :            46059726/5895644928           12
    Policed and dropped :            46071052/5897095778    

The trade-off for such visibility will be half the scale.

External documentation:

tx-scale-enhanced

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats tx-scale-enhanced ?
  acl-permit    Enable ACL permit stats.
  ingress-sr    Enable ingress SR stats.
  qos-enhanced  Enable enhanced QoS stats.
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats tx-scale-enhanced acl-permit ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats tx-scale-enhanced ingress-sr ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile stats tx-scale-enhanced qos-enhanced ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 1.41.49 PM.png

This profile changes the “stats” EEDB bank to use “half” entries and thereby increases the EEDB scale available. It has been specifically created for large TE deployments, extending the head-end scale from 4k to 14k. Only on J+ systems.

Don’t use in mixed (J/J+) chassis. Also it can’t support L2 features.

stats egress-stats-scale

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile stats ?
  acl-permit          Enable ACL permit stats.
  egress-stats-scale  Enable Egress Stats_Scale profile counter.
  enh-sr-policy       Enable Enhanced_SR_Policy_Scale stats profile counter.
  ingress-sr          Enable ingress SR stats profile counter.
  qos-enhanced        Enable enhanced QoS stats.
  tx-scale-enhanced   Enable enhanced TX stats scale (Non L2 stats).
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module profile stats egress-stats-scale ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

stats egress-stats-scale.png

Very similar the enh profile, extending the MPLS scale from 8k to 20k counters (4k for ARP/ND) and at the expense of the L2 counters (no L2 with this one).

Note: This profiles is not needed for J2 based systems

tcam acl-prefix

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam ?
  acl-prefix  ACL table to configure
  fib         Forwarding table to configure
  format      format of the tcam entry
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam acl-prefix ?
  percent  percent to configure
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam acl-prefix percent ?
  -0-100-  value in percent
RP/0/RP0/CPU0:NCS5500-702(config)#

tcam acl-prefix percent.png

Hybrid (or Scaled) ACLs are stored in two places: iTCAM and eTCAM. But by default in 6.3.2 (onwards), the eTCAM is not carved to receive ACL information.
This hardware profiles helps with this carving.

First, it’s only relevant for products with eTCAM. Hybrid ACLs are not supported on “base” systems or LC, only on “scale / -SE” ones.
Second, it’s only relevant to products based on Jericho. With Jericho+, the eTCAM is much larger and a portion of the database is allocated to ACLs dynamically, no configuration is needed.
Finally, pay specific attention to the release used on the router. Indeed, between 6.2.x and before 6.3.2, the eTCAM was carved by default with 20% for ACL and 80% for IPv4 routes. Its not the case before 6.2 and starting from 6.3.2, where default config is allocating 100% of the eTCAM to IPv4 routes.

Note: if you don’t configure space for ACL in eTCAM, the hybrid ACL configuration will be rejected at commit. This profile is not needed for J2 based systems.

External documentation:
These subtleties and many more details on Hybrid ACLs are covered in this external blog post:
https://xrdocs.io/ncs5500/tutorials/security-acl-on-ncs5500-part2-hybrid-acl/

tcam fib

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam ?
  acl-prefix  ACL table to configure
  fib         Forwarding table to configure
  format      format of the tcam entry
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ?
  ipv4     Configure ipv4 addresses in TCAM
  ipv6     Configure ipv6 addresses in TCAM
  v6mcast  Multicast address
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 ?
  unicast  Unicast address
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast ?
  percent  percent to configure
  prefix   ip prefix length
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast percent ?
  -1-100-  value in percent
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast percent 20 ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast prefix ?
  -0-32-  IPv4 prefix length.
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast prefix 24 ?
  percent  prefix percentage to configure
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam fib ipv4 unicast prefix 24 percent ?
  WORD  prefix precent 0.0-100.00000
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 2.27.25 PM.png

Only valid on the first generation of eTCAM (with Jericho ASIC). These hardware profile CLI permits the allocation / carving of the memory for specific route type. It does influence the way routes are stored in the different databases too.
It’s not operational on J+ eTCAM since the allocation is dynamic and all routes are stored in external TCAM by default.

External documentation:

tcam format acl

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam ?
  acl-prefix  ACL table to configure
  fib         Forwarding table to configure
  format      format of the tcam entry
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam format ?
  access-list  Access List format
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam format access-list ?
  ipv4  IPv4
  ipv6  IPv6
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module profile tcam format access-list ipv4 ?
  common-acl       enable common-acl, 1 bit qualifier
  dst-addr         destination address, 32 bit qualifier
  dst-port         destination L4 Port, 16 bit qualifier
  enable-capture   Enable ACL based mirroring (Included by default)
  enable-set-ttl   Enable Setting TTL field (Included by default)
  frag-bit         fragment-bit, 1 bit qualifier
  interface-based  Enable non-shared interface based ACL
  location         Location of format access-list ipv4 config
  packet-length    packet length, 16 bit qualifier
  port-range       ipv4 port range qualifier, 24 bit qualifier
  precedence       precedence/dscp, 8 bit qualifier
  proto            protocol type, 8 bit qualifier
  src-addr         source address, 32 bit qualifier
  src-port         source L4 port, 16 bit qualifier
  tcp-flags        tcp-flags, 6 bit qualifier
  ttl-match        Enable matching on TTL field
  udf1             user defined filter
  udf2             user defined filter
  udf3             user defined filter
  udf4             user defined filter
  udf5             user defined filter
  udf6             user defined filter
  udf7             user defined filter
  udf8             user defined filter
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

Screenshot 2021-04-03 at 12.54.11 PM.png

These hardware profiles are necessary to enable the UDK/UDF (User-Defined TCAM Key and Field) used with ingress ACL.

  • They permit the definition of the TCAM key.
  • Allow For ttl rewrite based on Tunnel policy if used with set-ttl and match ttl
  • Disable ACL sharing and support many small and unique ACL if used with interface-based

Indeed, the default behavior of an ingress access-list is to be re-usable: that means ACE lines of an ingress ACL applied on multiple ports of the same NPU are only counted twice (it’s not the case with egress ACLs).
This hardware profile when used with the keyword “interface-based” will disable the re-usability and move to the unique-ACL mode.

Starting from 6.5.2, we don’t support ACL match on packet-lenth (and ranges) by default, it’s mandatory to use a specific UDK as described in this blog post:
https://xrdocs.io/ncs5500/tutorials/acl-packet-length-matching-ncs55xx-and-ncs5xx/

An example for configuring unique ACL for both IPv4 and IPv6 with the following fields (SRC_IP, DST_IP, SRC_PORT, DST_PORT) available for ACE matching is:

hw-module profile tcam format access-list ipv4 src-addr src-port dst-addr dst-port interface-based
hw-module profile tcam format access-list ipv6 src-addr dst-addr dst-port interface-based

Note: switching functionality between shared and interface-based ACLs, all existing interface attachments needs to be removed.

External documentation:

mdb

The Modular database (MDB) is applicable to all J2 based (NCS 5700) PIDs. This new hardwre module profile is intoroduced to choose the MDB carving used in J2 Native modes i.e all fixed PIDs based on J2 NPU and all modular NCS 5500 chassis operating in Native mode.

RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile mdb ?
  l3max     l3max profile for router containing non-TCAM cards
  l3max-se  l3max-se profile for router containing only TCAM cards
  

hw-module profile mdb l3max


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile mdb l3max ?
  -cr-
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile mdb l3max
Wed Aug 25 23:42:53.961 PDT
In order to activate this new mdb profile, you must manually reload the chassis
  

J2-Native-Only-Global.png

introduced in IOS XR 7.4.1, This is applicable to J2 based PIDs (NCS 5700) without any e-TCAM (as well as eTCAM based cards when used in mixed mode). This carves out the NPU modular database to maximize the scale from L3 Heavy deployment. This profile should be applied to all Line Cards in a modular system . l3-max profile is the default MDB profile in a J2 fixed box or NCS 5500 modular chassis operating in J2 Native mode.

To change MDB profiles, the router needs a relaod

hw-module profile mdb l3max-se


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile mdb l3max-se ?
  -cr-
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module profile mdb l3max-se
Wed Aug 25 23:43:00.050 PDT
In order to activate this new mdb profile, you must manually reload the chassis
  

J2-Nat-SE-only-global.png

introduced in IOS XR 7.4.1, This is applicable to J2 based PIDs with external TCAM. This carves out the NPU modular database to maximize the scale from L3 Heavy deployment. For a modular system , all the LCs must be the Scale variant (i.e with eTCAM) for this profile to be applicable. If there is mix of scale and non scale LC, then the system falls back to l3max profile.

To change MDB profiles, the router needs a relaod

quad

RP/0/RP0/CPU0:55A2-MOD-SE(config)#hw-module quad 0 location 0/0/CPU0 mode ?
  WORD  10g or 25g, (10g mode also operates 1g transceivers)
RP/0/RP0/CPU0:55A2-MOD-SE(config)#

Feature used only on 25GE-capable platforms (25GE native, not related to the breakout option here):

  • all NCS55A2-MOD versions
  • NCS55A1-24Q6H-S
  • NCS55A1-48Q6H
    By default, those 1G/10G/25G ports are configured in TF mode only. An SFP or SFP+ optic inserted will not turn up. The profile allows the configuration of a block of 4 ports (a quad) to be used for 1G/10G mode.
    What quad 0 represents will depend on each platform.

External documentation:

service

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module service ?
  offline  Take all services on the card offline
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module service offline ?
  location  Location to configure
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module service offline location ?
  0/0/CPU0    Fully qualified location specification
  0/3/CPU0    Fully qualified location specification
  0/4/CPU0    Fully qualified location specification
  0/6/2       Fully qualified location specification
  0/6/CPU0    Fully qualified location specification
  0/7/CPU0    Fully qualified location specification
  0/RP0/CPU0  Fully qualified location specification
  WORD        Fully qualified location specification
RP/0/RP0/CPU0:NCS5500-702(config)#

05.png

Meant to put a line card offline, but according to the following release notes:
“The offline diagnostics functionality is not supported in NCS 5500 platform. Therefore, the hw-module service offline location command will not work. However, you can use the (sysadmin)# hw-module shutdown location command to bring down the LC.”

External documentation:

tcam

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module tcam ?
  fib  Forwarding table to configure
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module tcam fib ?
  ipv4  Configure ipv4 protocol
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module tcam fib ipv4 ?
  scaledisable  Configure scale mode for TCAM card
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module tcam fib ipv4 scaledisable ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

This profile exists specifically for the application of URPF on a Jericho-based eTCAM system or line card.
It will disable a mechanism named “double capacity” that allowed to double the size of the 80b key memory, extending the route count from 1M to 2M entries.

External documentation:
Details are available on the external blog post:
https://xrdocs.io/ncs5500/tutorials/ncs5500-urpf/
On CCO:
https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_01001.html

route-stats

In IOS XR 7.0.2:

RP/0/RP0/CPU0:NCS5500-702(config)#hw-module route-stats ?
  l3mcast  Layer 3 Multicast
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module route-stats l3mcast ?
  ipv4  IPv4 Multicast
  vrf   Vrf Name
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module route-stats l3mcast ipv4 ?
  res   Access list name - maximum 64 characters
  WORD  Access list name - maximum 64 characters
RP/0/RP0/CPU0:NCS5500-702(config)#hw-module route-stats l3mcast ipv4 TEST ?
  -cr-
RP/0/RP0/CPU0:NCS5500-702(config)#

In IOS XR 6.6.3:

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats ?
  l3mcast  Layer 3 Multicast
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ?
  ipv4  IPv4 Multicast
  ipv6  IPv6 Multicast
  vrf   Vrf Name
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv4 ?
  egress   per route per OIF stats
  ingress  per route stats
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv4 ingress ?
  WORD             Access list name - maximum 64 characters
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv4 egress ?
  WORD             Access list name - maximum 64 characters
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv6 ?
  egress   per route per OIF stats
  ingress  per route stats
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv6 ingress ?
  WORD  Access list name - maximum 64 characters
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast ipv6 egress ?
  WORD  Access list name - maximum 64 characters
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast vrf ?
  WORD     Name of VRF
  default  Default VRF
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module route-stats l3mcast vrf foo ?
  ipv4  IPv4 Multicast
  ipv6  IPv6 Multicast
RP/0/RP0/CPU0:NCS5500-663(config)#

Route_stats.png

Where mcast-counter is an access-list defined in the configuration

RP0/0/RP0/CPU0:NCS5500-663(config)# ipv4 access-list mcast-counter
RP0/0/RP0/CPU0:NCS5500-663(config-acl)# 10 permit ipv4 host 10.1.1.2 host 224.2.151.1
RP0/0/RP0/CPU0:NCS5500-663(config-acl)# 20 permit ipv4 10.1.1.0/24 232.0.4.0/22
RP0/0/RP0/CPU0:NCS5500-663(config-acl)#commit

Before the introduction of this feature, we only have a very brief implementation of an hw-profile only in 6.1.31 (“hw-module profile mfib stats”). Otherwise the count packets and bytes per (S,G) was not available.

The ingress stats are always per (S,G). The egress stats are always per OLE.

External documentation:

stats-fpga

hw-module stats-fpga location 0/x/CPU0 enable

Currently only supported on the NCS560. In the roadmap for other platforms equiped with this FGPA:

  • MOD-SE Line Cards
  • NCS55A2-MOD-SE

vrrpscale

RP/0/RP0/CPU0:NCS5500-663(config)#hw-module vrrpscale ?
  enable  enable VRRP scaling
RP/0/RP0/CPU0:NCS5500-663(config)#hw-module vrrpscale enable ?
  -cr-
RP/0/RP0/CPU0:NCS5500-663(config)#

VrrpScale.png

Extends the scale from 16 (or even 13 with BFD) to 255.
In 7.1.1, it’s also required to enable HSRP.

External documentation:

storm-control-combine-policer-bw

hw-module storm-control-combine-policer-bw enable


RP/0/RP1/CPU0:5508-1-741C(config)#hw-module storm-control-combine-policer-bw ?
  enable  Enable storm-control-combine-policer-bw mode
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module storm-control-combine-policer-bw enable ?
  -cr-
RP/0/RP1/CPU0:5508-1-741C(config)#hw-module storm-control-combine-policer-bw enable
Thu Aug 26 22:24:41.022 PDT
In order to activate this storm-control-combine-policer-bw, you must manually reload the chassis

J2-Nat-SE-only-global.png

This mode is enabled from IOS XR 7.4.1 and is applicable to J2 based PIDs with external TCAM. For L2 storm control by default the three policer (broadcast, multicast and unknown unicast) are different. This hw-module allows to combine all of them and achieve a combined control late for all BUM traffic. For example, if broadcast storm-control is set to 100 PPS then in default mode, broadcast is limited to 100 PPS and Unknown unicast and Multicast are not subjected to any rate limit. IN the combined mode, the same configuration of a broadcast storm-control policer of 100 pps will rate limit all BUM traffic to 100 PPS. Note that in compbined mode the policer units used must be same for all three policer. If all three policers are configured , then the combined storm control rate is the sum of all three policer.

Note: To enable/disable the combined policer for storm control using this profile , the router needs to be reloaded

Conclusion

Multiple hardware profiles have been added release after release to meet certain use-cases. This document helped at clarifying all the variations available.

Note that several profiles are orthogonal and can not be used simultaneously, like:

  
hw-module profile stats acl-permithw-module profile stats qos-enhanced
hw-module profile qos ingress-model peering locQPPB features
hw-module profile qos ingress-model peering lochw-module profile qos hqos-enable
hw-module profile qos hqos-enablePBTS
hw-module fib mpls label lsr-optimizedhw-module fib ipv4 scale internet-optimized
hw-module fib mpls ldp lsr-optimizedNo EVPN Services

Bookmark this link and check it regularly for updates.

Tags: ,

Updated:

Leave a Comment