Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) Line Card Configuration Guide
Configuring Layer 1 and Layer 2 Features
Downloads: This chapterpdf (PDF - 4.01MB) The complete bookPDF (PDF - 8.61MB) | Feedback

Table of Contents

Configuring Layer 1 and Layer 2 Features

Cisco 7600 Synchronous Ethernet Support

SSM and ESMC

Synchronization Status Message

Ethernet Synchronization Messaging Channel

Restrictions and Usage Guidelines

Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card

Configuring the Clock Recovery from SyncE

Configuring the Clock Recovery from BITS Port

Configuring the System to External

Configuring the Line to External

Managing Synchronization on ES+ Card

Verification

Troubleshooting the Synchronous Ethernet configuration

Troubleshooting

Flexible QinQ Mapping and Service Awareness

Restrictions and Usage Guidelines

Examples

Double Tag VLAN Connect

Selective QinQ with Xconnect

Selective QinQ with Layer 2 Switching

Double Tag Translation (2-to-2 Tag Translation)

Double Tag Termination (2 to 1 Tag Translation)

Verification

Troubleshooting

Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards

Restrictions and Usage Guidelines

Examples

Single Tag Termination Example

Single Tag Tunneling Example

Single Tag Translation Example

Double Tag Tunneling Example

Double Tag Termination Configuration Example

Double-Tag Translation Configuration Example

Selective QinQ Configuration Example

Untagged Traffic Configuration Example

MPBE with Split Horizon Configuration Example

Verification

Backup Interface for Flexible UNI

Restriction and Usage Guidelines

Verification

Verification: show interface Command

Example

Troubleshooting

EVC On Port-Channel

Restrictions and Usage Guidelines

Troubleshooting

Configuring SPAN on EVC

Restrictions and Usage Guidelines

Configuring SPAN on EVC

Sample Configuration

Verifying SPAN on EVC

Troubleshooting

Information About ERSPAN on EVC

Restrictions for ERSPAN on EVC Configuration

Configuring the Source Session for ERSPAN on EVC

Configuration Examples for ERSPAN on EVC Source Session

Configuring the Destination Session for ERSPAN on EVC

ERSPAN on EVC: Destination Session Configuration Example

Verification of ERSPAN on EVC Configuration

Verification Example for ERSPAN on EVC

LACP Support for EVC Port Channel

Restrictions and Usage Guidelines

Verification

Troubleshooting

Configuring Layer 2 Access Control Lists (ACLs) on an EVC

Restrictions and Usage Guidelines

Creating a Layer 2 Access Control List

SUMMARY STEPS

DETAILED STEPS

Applying a Layer 2 Access Control List

SUMMARY STEPS

DETAILED STEPS

DHCP Snooping with Option-82 on EVC

Restrictions and Usage Guidelines

Example

Verification

Troubleshooting

DHCP Snooping Over p-mLACP

DHCP Snooping State Synchronization

Restrictions for DHCP Snooping over p-mLACP

Troubleshooting Tips

Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization

IGMP Snooping State Synchronization

Restrictions for p-mLACP IGMP Snooping State Synchronization

Troubleshooting Tips

IP Source Guard for Service Instance

Restrictions and Usage Guidelines

Configuring IP Source Guard for a Service Instance

Example

Verification

Troubleshooting

Configuring MST on EVC Bridge Domain

Overview of MST and STP

Overview of MST on EVC Bridge Domain

Restrictions and Usage Guidelines

Examples

Verification

Troubleshooting

Configuring Link State Tracking (LST)

Restrictions and Usage Guidelines

Configuring Link State Tracking

Verification

Troubleshooting the Link State Tracking

MAC Address Security for EVC Bridge Domain

Restrictions and Usage Guidelines

Enabling MAC Address Security for EVC Bridge Domain

Disabling MAC Address Security for EVC Bridge Domain on an EFP

Examples

Configuring MAC Address Whitelist on an EFP

Configuring Sticky MAC Addresses on an EFP

Configuring Secure MAC Address Aging on an EFP

Configuring MAC Address Limiting on EFP

Configuring MAC Address Limiting on a Bridge Domain

Configuring Violation Response on an EFP

Examples

Error Recovery

Manual Recovery

Automatic recovery

Verification

Troubleshooting

CFM and PVST Co-Existence

Restrictions and Usage Guidelines

Configuring PVST and CFM Co-Existence

Configuring GVRP and CFM Co-Existence

Configuring PVST and GVRP Co-Existence

Verification

Custom Ethertype for EVC Interfaces

Supported Rewrite Rules for a Custom Ethertype Configuration

Supported Rewrites for Non-Range on C-Tag with a NNI

Supported Rewrites for Range on C-Tag with a NNI

Restrictions and Usage Guidelines

Examples

Single Tag Encap with Connect with Custom Ethertype Configured

Single Tag Encap with Bridge Domain

Single Tag Encap with XConnect

Custom Ethertype Support with Sub Interfaces

Verification

Troubleshooting

GE LAG with LACP on UNI with Advanced Load Balancing

Restrictions and Usage Guidelines

Configuring GE Link Aggregation with Advanced Load Balancing

Example

Verification

Troubleshooting Load Balancing Features

Storm Control on Switchports and Ports Having EVCs

Detecting a Broadcast Storm

Restrictions and Usage Guidelines

Configuring Storm Control on Ports with EVC Configurations

Example

Configuring Storm Control on Switchports

Example

Configuring Storm Control on Port Channels

Example

Verification

Storm Control over EVC

Restrictions for Storm Control over EVC

Configuring Storm Control over EVC

Detailed Steps

Examples

Verification

Asymmetric Carrier-Delay

Restrictions and Usage Guidelines

Configuring Asymmetric Carrier Delay

Verification

Manual Load Balancing for EVC over Port-Channel/LACP

Restrictions and Usage Guidelines

Configuring Manual Load Balancing for EVC over Port-Channel/LACP

Example

Verification

EVC Port Channel Per Flow Load Balancing

Restrictions

Configuring EVC Port Channel Per Flow Load Balancing

Summary Steps

Detailed Steps

Example

Verification

Configuring Layer 3 and Layer 4 ACLs

Configuration Examples

Verification

Multichassis Support for LACP

Requirements and Restrictions

Pseudo MLACP Support on Cisco 7600

Failover Operations

Failure Recovery

Restrictions for PMLACP on Cisco 7600

Configuring PMLACP on Cisco 7600

Configuration Examples

Verification

Troubleshooting Tips

Layer 2 Tunneling Protocol Version 3 (L2TPv3)

Restrictions for L2TPv3

Configuring L2TPv3

Troubleshooting Tips

Reverse L2GP for Cisco 7600

Restrictions and Usage Guidelines

Configuring Reverse L2GP for 7600

Configuring MST

Configuring the RL2GP Instance

Attaching the RL2GP Instance to a Port

Configuring the VPLS Pseudo Wire

Examples

Troubleshooting

Configuring Static MAC Binding to EVCs and Psuedowires

Restrictions and Usage Guidelines

Configuring Static MAC over EFP for the Cisco 7600 Router

Configuring MPLS on Core-Facing Interface

Configuring Static MAC over Pseudowire for the Cisco 7600 Router

Troubleshooting

Configuring Resilient Ethernet Protocol

REP Edge No-Neighbor

Configuring REP over Ethernet Virtual Circuit

Restrictions and Usage Guidelines

Configuring REP over EVC for the Cisco 7600 Router

Configuring REP over EVC using cross-connect on the Cisco 7600 Router

Configuring REP over EVC using connect for the Cisco 7600 Router

Configuring REP over EVC using bridge-domain for the Cisco 7600 Router

Configuring Resilient Ethernet Protocol Configurable Timers

Restrictions and Usage Guidelines

Configuring REP Configurable Timers for the Cisco 7600 Router

Configuring the REP Link Status Layer Retries

Configuring the REP Link Status Layer Age Out Timer

Troubleshooting the REP

IEEE 802.1ag-2007 Compliant CFM

Supported Line Cards

Scalable Limits

Restrictions and Usage Guidelines

Example

CFM over EFP Interface with xconnect

Restrictions and Usage Guidelines

Configuring CFM over EFP with xconnect for the Cisco 7600 Router

Configuring CFM over EFP Interface with Cross Connect—Basic Configuration

Configuring CFM over EFP Interface with Cross Connect—Single Tag VLAN Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Double Tag VLAN Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Selective QinQ Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Port-Based Cross Connect Tunnel

Configuring CFM over EFP Interface with Cross Connect—Port Channel-Based Cross Connect Tunnel

Configuring CFM over EFP Interface with xconnect—Port Channel-Based xconnect Tunnel

Verification

Troubleshooting CFM Features

802.1ah: Configuring the MAC Tunneling Protocol

MTP Software Architecture

IB Backbone Edge Bridge

Data Plane Processing

MTP Configuration

Scalability Information

Restrictions and Usage Guidelines

Configuring the MTP for the Cisco 7600 Router

Troubleshooting

802.3ah: Dying Gasp and Remote Loopback Initiation

Restrictions for Dying Gasp and Remote Loopback Initiation

Configuring the Remote Loopback

Configuring the Dying Gasp

Configuration Examples

Verification

Support for IEEE 802.1ad

Prerequisites for IEEE 802.1ad

Restrictions for IEEE 802.1ad

Information About IEEE 802.1ad

How Provider Bridges Work

S-Bridge Component

C-Bridge Component

MAC Addresses for Layer 2 Protocols

Layer 2 Protocol Forwarding Behavior Using EVC Cross-Connect

Guidelines for Handling BPDU

7600 Action Table

Interoperability of QinQ and Dot1ad

How to Configure IEEE 802.1ad

Configuring a Switchport

Configuring a Layer 2 Protocol Forward

Configuring a Switchport for Translating QinQ to 802.1ad

Configuring a Switchport (L2PT)

Configuring a Customer-Facing UNI-C Port with EVC

Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC

Configuring a Customer-Facing UNI-S Port with EVC

Configuring a Layer 3 Termination

Displaying a Dot1ad Configuration

Troubleshooting Dot1ad

ITU-T G.8032 Ethernet Ring Protection Switching

G.8032 overview

Single Ring Topology

Multiple Rings Topology

G.8032 Node Components

Restrictions

Failure Detection

R-APS Control message Processing

R-APS Packet Format

R-APS Packet Transmission Rules

TCN Processing

HA/ISSU support

Configuring the ITU-T G.8032 Feature

Y.1731 Performance Monitoring

Connectivity

Frame Delay and Frame Delay Variation

Frame Loss Ratio and Availability

Supported Interfaces

Guidelines and Restrictions for LMM over Port-Channel

Restrictions and Usage Guidelines

Configuring One Way Delay Measurement

Summary Steps

Detailed Steps

Configuration Example

Configuring Two-Way Delay Measurement

Summary Steps

Detailed Steps

Configuration Example

Configuring Single Ended Frame Loss Measurement

Summary Steps

Detailed Steps

Configuration Example

Configuring Single Ended SLM-Continuous

Summary Steps

Detailed Steps

Configuration Example

Configuring Single Ended SLM-Bursts

Summary Steps

Detailed Steps

Configuration Example

Verifying the Frame Delay and Frame Loss Measurement Configurations

Troubleshooting

IP and PPPoE Session Support

IP Address Assignment

IP Subnet (IP Range) Sessions

IP Interface Sessions

PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)

PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer Ethertype

Restrictions and Usage Guidelines

Verification

Troubleshooting

Per Subscriber Session Call Admission Control (CAC)

Restrictions and Guidelines

Implementing CAC

Configuring Per Subscriber Session CAC

Summary Steps

Detailed Steps

Configuration Example

Verifying and Monitoring Per Subscriber Session CAC

Configuring Private Host on Pseudoport on CWAN Cards

Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs

Restrictions and Usage Guidelines

Configuring UDLD Aggressive Mode

Enabling UDLD on Ports With EVC Configured

Disabling Individual UDLD on Ports With EVC Configured

Resetting Disabled UDLD on Ports With EVC Configured

Verification

Dynamic Ethernet Service Activation

Restrictions and Usage Guidelines

Configuring Dynamic Ethernet Service Activation Support on C7600

Configuring DESA for a Dynamic Ethernet Session

Detailed Steps

Configuration Steps for a Static Ethernet Session

Configuration Example

Verifying DESA

Troubleshooting DESA

Control Plane Protection on Non Access Subinterfaces

Restrictions and Usage Guidelines

Configuring COPP on a Non Access Subinterface

Summary Steps

Detailed Steps

Configuration Example

Verifying COPP on a Non Access Sub Interface

BFD Scale Improvement on ES+ Line Card for 7600

BFD Sessions Supported on RSP720 Versions

SSO Behavior

Restrictions for BFD Scale Improvement

Configuring BFD Hardware Offload for 7600

Configuring BFD Hardware Offload for HSRP IPv4

Configuration Example

Verification

Information About BFD Deterministic Offload

Key Points About BFD Deterministic Offload

Configuring BFD Offload Timer

Configuration Example for BFD Offload Timer

BFD Template Support for IPv4 and IPv6

Restrictions for BFD Template Support

Restrictions for 10*3 BFD Timers

BFD Sessions Supported for 10*3 Timers

Using the BFD Template

Configuration Examples

Verification

Troubleshooting BFD Hardware Offload

Ethernet Data Plane Loopback

Restrictions for Ethernet Data Plane Loopback

Configuring the Ethernet Data Plane Loopback

Configuration Examples for Ethernet Data Plane Loopback

Verification

Configuring Layer 1 and Layer 2 Features

This chapter provides information about configuring layer 1 and layer 2 features on the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series router. It includes the following topics:

For more information about the commands used in this chapter, see the Cisco IOS Release 12.2 SR Command References at http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html .


Note The information provided in this chapter is applicable to both the ES+ and ES+T line cards unless specified otherwise.



Note Follow these restrictions and guidelines while cross-bundling various linecards:
1. ES20 and ES+ cross-bundling is not supported.
2. Any LAN card, and ES20/ES+ cross-bundling is not supported.


Cisco 7600 Synchronous Ethernet Support

Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned to a reliable clock traceable to Primary Reference Clock (PRC).

SyncE is implemented on an ES+ card for Cisco 7600 series routers. An ES+ card has a dedicated external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. Table 4-1 lists the framing modes for BITS port on an ES+ card:

 

Table 4-1 Framing Modes for BITS Port on an ES+ card

BITS/SSU port support Matrix
Framing modes supported
SSM/QL support
Tx Port
Rx Port

T1

T1 ESF

Yes

Yes

Yes

T1

T1 SF

No

Yes

Yes

E1

E1 CRC4

Yes

Yes

Yes

E1

E1 FAS

No

Yes

Yes

E1

E1 CAS

No

No

Yes

E1

E1 CAS CRC4

Yes

No

Yes

2048kHz

2048kHz

No

Yes

Yes

Table 4-2 lists the External Timing Input and Output Pinouts:

 

Table 4-2 External Timing Input and Output Pinout

Pin
Signal
Image

1

Rx Ring

2

Receive (Rx) Tip

3

Not used

4

Tx Ring

5

Transmit (Tx) Tip

6

Not used

7

Not used

8

Not used


Note The pin out for BITS port on ES+ is similar to E1 and T1.


You can implement SyncE on an ES+ card with four different configurations:

  • Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit and ten gigabit interfaces only). Router uses this clock as the Tx clock for other SyncE interfaces or ATM/CEoP interfaces.
  • Clock Recovery from External Interface: System clock is recovered from a BITS clocking source.
  • Line to External: The clock received from an Ethernet is forwarded to an external SSU. The SynE feature provides the functionality for clock cleanup. For a router in the middle of synchronization chain, the received clock may have unacceptable wander and jitter. The router recovers the clock from the SyncE interface, converts it to the format required for the BITS interface, and sends to a SSU through the BITS port. The SSU performs the cleanup and sends it back to the BITs interface. The cleaned up clock is received back from the SSU. This clock is used as Tx clock for the SyncE ports. For 7600 router, the interface from which the clock is recovered and the BITS port to the SSU should reside on the same ES+ card.
  • System to External: The system clock is used as Tx clock for an external interface. By default the system clock is not transmitted on the external interface.

The SyncE enabled ES+ line card provides the squelching functionality, where an Alarm indication Signal (AIS) is sent to the Tx interfaces if the clock source goes down. The squelching functionality is implemented in two cases:

  • Line to external: If the line source goes down, an AIS is transmitted on the external interface to the SSU.
  • System to external: If the router loses all the clock sources, an AIS is sent on the external interface to the SSU.

Squelching is performed only towards an external device such as SSU or PRC.

You can have a maximum of six clock sources for a 7600 Router and a maximum of 4 clock sources on an ES+ card. The clock source with highest priority is made the default clock source. You can manage the clock sources on an ES+ card by changing the priority of the clock sources. You can also manage the synchronization on ES+ cards using the following management options:

  • Hold-of Time: If a clock source goes down, the router waits for a specific hold-off time before removing the source. By default, the value of hold-of time is 300 ms.
  • Wait to Restore: If a SyncE interface comes up, the router waits for a specific period of time before considering the SyncE interface for synchronization source. By default, the value is 300 sec.
  • Force Switch: Forcefully select a synchronization source irrespective of whether the source is available or within the specified range.
  • Manual Switch: Forcefully select a synchronization source provided the source is available and within the range.

SSM and ESMC

Network Clocking uses these mechanisms to exchange the quality level of the clock between the network elements:

Synchronization Status Message

Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality:

  • Prevents timing loops.
  • Provides fast recovery when a part of the network fails.
  • Ensures that a node derives timing from the most reliable clock source.

Ethernet Synchronization Messaging Channel

In order to maintain a logical communication channel in synchronous network connections, ethernet relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality level of the Ethernet Equipment Clock (EEC) in a physical layer.

The ESMC packets are received only for those ports configured as clock sources and transmitted on all the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the selected clock source and sent to all the enabled SyncE ports.

Clock Selection Algorithm

Clock selection algorithm selects the best available synchronization source from the nominated sources. The clock selection algorithm has a non-revertive behavior among clock sources with same QL value and always selects the signal with the best QL value. For clock option 1, the default is revertive and for clock option 2, the default is non-revertive.

The clock selection process works in the QL enabled and QL disabled modes. When multiple selection processes are present in a network element, all processes work in the same mode.

QL-enabled mode

In QL-enabled mode, the following parameters contribute to the selection process:

  • Quality level
  • Signal fail via QL-FAILED
  • Priority
  • External commands.

If no external commands are active, the algorithm selects the reference (for clock selection) with the highest quality level that does not experience a signal fail condition. If multiple inputs have the same highest quality level, the input with the highest priority is selected. For multiple inputs having the same highest priority and quality level, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.

QL-disabled mode

In QL-disabled mode, the following parameters contribute to the selection process:

  • Signal failure
  • Priority
  • External commands

If no external commands are active, the algorithm selects the reference (for clock selection) with the highest priority that does not experience a signal fail condition. For multiple inputs having the same highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.

Hybrid mode

The SyncE feature requires that each network element along the synchronization path needs to support SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring the Timing over Packet (ToP) interface on the PTP slave as the input source.


Note The ToP interface does not support QL and works only in the QL-disabled mode.


The ES+ is a family of fixed-port SyncE line cards supporting 20 and 40 gbps bandwidth for the 7600 series routers. The following ES+ cards support SyncE:

  • 4x10G XFP ports
  • 40x1G SFP ports
  • 2x10G XFP ports
  • 20x1G SFP ports
  • 4x10GE or 2x10GE with ITU-T G.709 DWDM optical interface

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines when configuring the SyncE on an ES40 line card:

  • If the network clock algorithm is enabled, all the ES+ cards on the router use the system clock as Tx clock (synchronous mode) for its ethernet interfaces. You cannot change the synchronous mode on a per interface basis for the line card. The whole line cards functions in the same mode.
  • On an ES+ card, you can have a maximum of 4 ports configured as clock source at a time.
  • For a 20x1 gigabit ES+ line card, you can select a maximum of two ports from each NPU.
  • For a 40x1 gigabit ES+ line card, you can select only one port from each NPU.
  • You can configure a maximum of 6 ports as a clock source for a Cisco 7600 router.
  • The line to external for clock clean up is supported only if the line interface and the external (BITS) interface are on the same ES+ line card.
  • SyncE feature is SSO co-existent, but not compliant. The clock selection algorithm is restarted on a switchover. During the switchover the router goes into hold-over mode.
  • The ES+ SyncE interfaces in WAN mode cannot be used for QL-enabled clock selection. You should either use them with the system in QL disabled mode or disable ESMC on the interfaces and use them as QL-disabled interfaces.
  • It is recommended that you do not configure multiple input sources with the same priority as this impacts the TSM switching delay.
  • You cannot implement the network-clock based clock selection algorithm and the new algorithm simultaneously. Both these algorithms are mutually exclusive.
  • SyncE is not supported on 1 Gigabit Ethernet copper SFPs (SFP GE-T and GLC-T).

Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card

This section describes how to configure SyncE for Cisco 7600 Router. SyncE is implemented on Cisco 7600 router using four different configurations:

Configuring the Clock Recovery from SyncE

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from SyncE method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

6. [no]clock source {internal | line | loop}

7. synchronous mode

8. exit

9. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

10. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

network-clock synchronization automatic

 

Router(config)# network-clock synchronization automatic

Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.

Step 4

network-clock synchronization ssm option {option_id {GEN1 | GEN2}}

 

 

 

Router(config)# network-clock synchronization ssm option 2 GEN1

 

Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.

Step 5

interface gigabitethernet slot/port or interface tengigabitethernet slot/port

 

 

Router(config)# int gig 5/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

slot/port—Specifies the location of the interface.

Step 6

clock source {internal | line | loop}

 

 

Router(config-if)# clock source line

Indicates the clock source to use. The 3 options for clock source are:

  • internal: Use internal clock.
  • line: Recover clock from line.
  • loop: Use local loop timing.

To implement SYNCE, use line option.

Step 7

synchronous mode

 

 

 

Router(config-if)# synchronous mode

Sets the mode to synchronous mode.

Step 8

exit

 

 

Router(config)# exit

Exits the specific configuration mode.

Step 9

network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

 

 

 

Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1

 

Enables clock recovery from SyncE.

Step 10

exit

 

 

Router(config)# exit

Exits the global configuration mode.

Examples

This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:

Router>enable
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# int gig 5/1
Router(config-if)# clock source line
Router(config-if)# synchronous mode
Router(config)# exit
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Router(config)# exit

Configuring the Clock Recovery from BITS Port

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from BITS port.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

6. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

network-clock synchronization automatic

 

Router(config)# network-clock synchronization automatic

Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.

Step 4

network-clock synchronization ssm option {option_id {GEN1 | GEN2}}

 

 

 

Router(config)# network-clock synchronization ssm option 2 GEN1

 

Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.

Step 5

network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

 

 

 

Router(config-if-srv)# network-clock input-source 1 External 7/0/0 t1 sf

 

Enables clock recovery from BITS port.

Step 6

exit

 

 

Router(config)# exit

Exits the global configuration mode

Examples

This example shows how to configure clock recovery from BITS port for Cisco 7600 Routers:

Router>enable
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
Router(config)# exit
 

Configuring the System to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using System to External method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. network-clock output-source system priority {external slot/card/port [j1 | 2m | 10m] }

6. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

network-clock synchronization automatic

 

Router(config)# network-clock synchronization automatic

Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.

Step 4

network-clock synchronization ssm option {option_id {GEN1 | GEN2}}

 

 

 

Router(config)# network-clock synchronization ssm option 2 GEN1

 

Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.

Step 5

network-clock output-source system priority {external slot/card/port [j1 | 2m | 10m]}

 

 

 

Router(config)# network-clock output-source system 1 external 4/0/0 t1 sf

 

Configures the system clock to be used on external Tx interfaces.

Step 6

exit

 

Router(config)# exit

Exits the global configuration mode.

Examples

This example shows how to configure system to external clocking for Cisco 7600 Routers:

Router>enable
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
Router(config)# exit
 

This example shows how to configure clock clean-up using an SSU:

Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External 1/0/0 t1 sf
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf

Configuring the Line to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using Line to External method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

6. [no]clock source {internal | line | loop}

7. synchronous mode

8. exit

9. network-clock output-source line priority {interface interface_name | controller {t1 | e1} slot/card/port}} {external slot/card/port}

10. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

network-clock synchronization automatic

 

Router(config)# network-clock synchronization automatic

Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.

Step 4

network-clock synchronization ssm option {option_id {GEN1 | GEN2}}

 

 

 

Router(config)# network-clock synchronization ssm option 2 GEN1

 

Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.

Step 5

interface gigabitethernet slot/port or interface tengigabitethernet slot/port

 

 

Router(config)# int gig 5/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

slot/port—Specifies the location of the interface.

Step 6

clock source {internal | line | loop}

 

 

 

 

Router(config-if)# clock source line

Indicates the clock source to use. The 3 options for clock source are:

  • internal: Use internal clock.
  • line: Recover clock from line.
  • loop: Use local loop timing.

To implement SYNCE, use line option.

Step 7

synchronous mode

 

 

 

Router(config-if)# synchronous mode

Sets the mode to synchronous mode.

Step 8

exit

 

 

Router(config)# exit

Exits the specific configuration mode.

Step 9

network-clock output-source line priority {interface interface_name | controller {t1 | e1} slot/card/port}} {external slot/card/port}

 

 

 

Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 42

 

Configures the line clock to be used on external Tx interfaces.

Step 10

exit

 

Router(config)# exit

Exits the global configuration mode.

Examples

This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:

Router>enable
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Router(config)# int gig 5/1
Router(config-if)# clock source line
Router(config-if)# synchronous mode
Router(config)# exit
Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External 1/0/0
Router(config)# exit

Managing Synchronization on ES+ Card

Manage the synchronization on ES+ cards with these management commands:

  • Quality Level Enabled Clock Selection: Use the network-clock synchronization mode QL-enabled command in global configuration mode to configure the automatic selection process for QL-enabled mode. This succeeds only if the SyncE interfaces are capable of sending SSM. The following example shows how to configure network clock synchronization (QL-enabled mode) in global configuration mode:
Router(config)# network-clock synchronization mode QL-enabled
 
  • ESMC Process: Use the esmc process command in global configuration mode to enable the ESMC process at system level. The no form of the command disables the ESMC process. This command fails if there is no SyncE-capable interface installed in the platform. The following example shows how to enable ESMC in global configuration mode:
Router(config)# esmc process
 
  • ESMC Mode: Use the esmc mode [tx | rx |<cr>] command in interface configuration mode to enable ESMC process at interface level. The no form of the command disables the ESMC process. The following example shows how to enable ESMC in interface configuration mode:
Router(config-if)# esmc mode tx
 
  • Network Clock Source Quality level: Use the network-clock source quality-level command in interface configuration mode to configure the QL value for ESMC on gigabitethernet port. The value is based on global interworking options.

If Option 1 is configured, the available values are QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and QL-DNU.

If Option 2 is configured with GEN 2, the available values are QL-PRS, QL-STU, QL-ST2, QL-TNC, QL-ST3, QL-SMC, QL-ST4 and QL-DUS.

If option 2 is configured with GEN1, the available values are QL-PRS, QL-STU, QL-ST2, QL-SMC, QL-ST4 and QL-DUS

Use the network-clock quality-level command in global configuration mode to configure the QL value for SSM on BITS port. The following example shows how to configure network-clock quality-level in global configuration mode:

Router(config)# network-clock quality-level rx QL-PRC interface ToP3/0/20

The following example shows how to configure network-clock source quality-level in interface configuration mode:

Router(config-if)# network-clock source quality-level QL-PRC
 
  • Wait-to-Restore: Use the network-clock wait-to-restore timer global command to set wait-to-restore time. You can configure the wait-to-restore time between 0 to 86400 seconds. The default value is 300 seconds. The wait-to-restore timer can be set at global configuration mode and interface configuration mode. The following example shows how to configure wait-to-restore timer in global configuration mode:
Router(config)# network-clock wait-to-restore 10 global

 

The following example shows how to configure the wait-to-restore timer in interface configuration mode:

Router(config)# int ten 7/1
Router(config-if)# network-clock wait-to-restore 10
  • Hold-off Time: Use network-clock hold-off timer global command to configure hold-off time. You can configure the hold-off time to zero or any value between 50 to 10000 milliseconds. The default value is 300 milliseconds. The network-clock hold-off timer can be set at global configuration mode and interface configuration mode.The following example shows how to configure hold-off time:
Router(config)# network-clock hold-off 50 global

 

  • Force Switch: Use the network-clock switch force command to forcefully select a synchronization source irrespective of whether the source is available and within the range. The following example shows how to configure manual switch:
Router(config)# network-clock switch force interface tenGigabitEthernet 7/1 t1

 

  • Manual Switch: Use network-clock switch manual command to manually select a synchronization source provided the source is available and within the range. The following example shows how to configure manual switch:
Router(config)# network-clock switch manual interface tenGigabitEthernet 7/1 t1

 

  • Clear Manual and Force Switch: Use the network-clock clear switch controller-id command to clear the manual or switch it by force. The following example shows how to clear a switch:
Router(config)# network-clock clear switch t0

 

  • Lock out a Source: Use the network-clock set lockout command to lock-out a clock source. A clock source flagged as lock-out is not selected for SyncE. To clear the lock-out on a source, use the network-clock clear lockout command. The following example shows how to lock out a clock source:
Router(config)# network-clock set lockout interface tenGigabitEthernet 7/1

The following example shows how to clear lock-out on a clock source:

Router(config)# network-clock clear lockout interface tenGigabitEthernet 7/1

Verification

Use the following commands to verify the SyncE configuration:

  • Use the show network-clock synchronization command to display the sample output:
Router# show network-clocks synchronization
Symbols: En - Enable, Dis - Disable, Adis - Admin Disable
NA - Not Applicable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
 
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : 1
T0 : TenGigabitEthernet12/1
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
Revertive : No
 
Nominated Interfaces
 
Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
Internal NA NA/Dis 251 QL-SEC NA NA
*Te12/1 NA Sync/En 1 QL-PRC - -
AT6/0/0 NA NA/En 1 QL-SSU-A NA NA
  • Use the show network-clock synchronization detail command to display all details of network-clock synchronization parameters at the global and interface levels.
Router# show network-clocks synchronization detail
Symbols: En - Enable, Dis - Disable, Adis - Admin Disable
NA - Not Applicable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
 
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : 1
T0 : TenGigabitEthernet12/1
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
Revertive : No
Force Switch: FALSE
Manual Switch: FALSE
Number of synchronization sources: 2
sm(netsync NETCLK_QL_ENABLE), running yes, state 1A
Last transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A
 
Nominated Interfaces
 
Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
Internal NA NA/Dis 251 QL-SEC NA NA
*Te12/1 NA Sync/En 1 QL-PRC - -
AT6/0/0 NA NA/En 1 QL-SSU-A NA NA
 
Interface:
---------------------------------------------
Local Interface: Internal
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Disable
SSM Rx: Disable
Priority: 251
QL Receive: QL-SEC
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: -
QL Transmit Configured: -
Hold-off: 0
Wait-to-restore: 0
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Slot Disabled: FALSE
 
Local Interface: Te12/1
Signal Type: NA
Mode: Synchronous(Ql-enabled)
ESMC Tx: Enable
ESMC Rx: Enable
Priority: 1
QL Receive: QL-PRC
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: QL-DNU
QL Transmit Configured: -
Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Slot Disabled: FALSE
 
Local Interface: AT6/0/0
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Enable
SSM Rx: Enable
Priority: 1
QL Receive: QL-SSU-A
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: -
QL Transmit Configured: -
Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Slot Disabled: FALSE
 
  • Use the show esmc command to display the sample output.
Router# show esmc
Interface: TenGigabitEthernet12/1
Administative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
QL TX: -
QL RX: -
Operational status:
Port status: UP
QL Receive: QL-PRC
QL Transmit: QL-DNU
QL rx overrided: -
ESMC Information rate: 1 packet/second
ESMC Expiry: 5 second
 
Interface: TenGigabitEthernet12/2
Administative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
QL TX: -
QL RX: -
Operational status:
Port status: UP
QL Receive: QL-DNU
QL Transmit: QL-DNU
QL rx overrided: QL-DNU
ESMC Information rate: 1 packet/second
ESMC Expiry: 5 second
  • Use the show esmc detail command to display all details of esmc parameters at the global and interface levels.
Router# show esmc detail
Interface: TenGigabitEthernet12/1
Administative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
QL TX: -
QL RX: -
Operational status:
Port status: UP
QL Receive: QL-PRC
QL Transmit: QL-DNU
QL rx overrided: -
ESMC Information rate: 1 packet/second
ESMC Expiry: 5 second
ESMC Tx Timer: Running
ESMC Rx Timer: Running
ESMC Tx interval count: 1
ESMC INFO pkts in: 2195
ESMC INFO pkts out: 6034
ESMC EVENT pkts in: 1
ESMC EVENT pkts out: 16
 
Interface: TenGigabitEthernet12/2
Administrative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
QL TX: -
QL RX: -
Operational status:
Port status: UP
QL Receive: QL-DNU
QL Transmit: QL-DNU
QL rx overrided: QL-DNU
ESMC Information rate: 1 packet/second
ESMC Expiry: 5 second
ESMC Tx Timer: Running
ESMC Rx Timer: Running
ESMC Tx interval count: 1
ESMC INFO pkts in: 0
ESMC INFO pkts out: 2159
ESMC EVENT pkts in: 0
ESMC EVENT pkts out: 10

Troubleshooting the Synchronous Ethernet configuration

The following debug commands are available for troubleshooting the Synchronous Ethernet configuration on the Cisco 7600 ES+ Line Card:

Troubleshooting Scenarios

Debug Command
Purpose

debug platform ssm

Debugs issues related to SSM such as Rx, Tx,QL values and so on.

debug platform network-clock

Debugs issues related to network clock such as alarms, OOR, active-standby sources not selected correctly and so on.

debug esmc error

debug esmc event

debug esmc packet [interface <interface name>]

debug esmc packet rx [interface <interface name>]

debug esmc packet tx [interface <interface name>]

Verifies whether the ESMC packets are transmitted or received with proper quality level values.


Note Before you troubleshoot, ensure that all the network clock synchronization configurations are complete.


Troubleshooting

Table 4-3 provides the troubleshooting solutions for the synchronous ethernet feature.

Table 4-3 Troubleshooting Scenarios

Problem
Solution

Incorrect clock limit set or disabled queue limit mode

  • Verify that there are no alarms on the interfaces. Use the show network-clock synchronization detail RP command to confirm.
Warning We suggest you do not use these debug commands without TAC supervision.
  • Use the show network-clock synchronization command to confirm if the system is in revertive mode or non-revertive mode and verify the non-revertive configurations as shown in this example:

RouterB#show network-clocks synchronization

Symbols: En - Enable, Dis - Disable, Adis - Admin Disable NA - Not Applicable

- Synchronization source selected

# - Synchronization source force selected

& - Synchronization source manually switched

Automatic selection process : Enable

Equipment Clock : 1544 (EEC-Option2)

Clock Mode : QL-Enable

ESMC : Enabled

SSM Option : GEN1

T0 : POS3/1/0

Hold-off (global) : 300 ms

Wait-to-restore (global) : 0 sec

Tsm Delay : 180 ms

Revertive : Yes<<<<If it is non revertive then it will show NO here.

Nominated Interfaces

Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx

Internal NA NA/Dis 251 QL-ST3 NA NA

SONET 3/0/0 NA NA/En 3 QL-ST3 NA NA

*PO3/1/0 NA NA/En 1 QL-ST3 NA NA

SONET 2/3/0 NA NA/En 4 QL-ST3 NA NA

  • Reproduce the current issue and collect the logs using the debug network-clock errors, debug network-clock event, and debug network-clock sm RP commands.
Warning We suggest you do not use these debug commands without TAC supervision.
  • Contact Cisco technical support if the issue persists.

Incorrect quality level (QL) values when you use the show network-clock synchronization detail command.

  • Use the network clock synchronization SSM ( option 1 |option 2 ) command to confirm that there is no framing mismatch. Use the show run interface command to validate the framing for a specific interface. For the SSM option 1 framing should be SDH or E1 and for SSM option 2, it should be SONET or T1.
  • Reproduce the issue using the debug network-clock errors, debug network-clock event and debug platform ss m RP commands or enable the debug hw-module subslot command.
Warning We suggest you do not use these debug commands without TAC supervision.

Error message “%NETCLK-6-SRC_UPD: Synchronization source SONET 2/3/0 status (Critical Alarms(OOR)) is posted to all selection process" displayed.

  • Interfaces with alarms or OOR cannot be the part of selection process even if it has higher queue limit or priority. Use the debug platform network-clock RP command to troubleshoot network clock issues.
  • Reproduce the issue using the debug platform network-clock command enabled in a route processor or enable the debug network-clock event and debug network-clock errors RP commands.
Warning We suggest you do not use these debug commands without TAC supervision.

Flexible QinQ Mapping and Service Awareness

Flexible QinQ Mapping and Service Awareness allows service providers to offer triple-play services, residential Internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.

The access node connects to the DSLAM through the Cisco 7600 Series ES+ line cards. This provides a flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to different services.

Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards is supported only through Ethernet Virtual Connection Services (EVCS) service instances.

EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.

Figure 4-1 shows a typical metro architecture where the access router facing the DSLAM provides VLAN translation (selective QinQ) and grooming functionality and where the service routers (SR) provide QinQ termination into a Layer 2 or Layer 3 service.

Figure 4-1 Metro Architecture

 

Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards provides the following functionality:

  • VLAN connect with local significance (VLAN local switching)

Single tag Ethernet local switching where the received dot1q tag traffic from one port is cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there is no MAC learning involved.

Double tag Ethernet local switching where the received double tag traffic from one port is cross-connected to another port by changing both tags. The mapping to each double tag combination to the cross-connect is 1-to-1. There is no MAC learning involved.

Hairpinning:It is a cross connect between two EFPS on the same port.


Note Connect service does not support identifying BPDU packets.


  • Selective QinQ (1-to-2 translation)

Cross connect—Selective QinQ adds an outer tag to the received dot1q traffic and then tunnels it to the remote end with Layer 2 switching or EoMPLS.

  • Double tag translation (2-to-2 translation) Layer 2 switching—Two received tagged frames are popped and two new tags are pushed.
  • Double tag termination (2-to-1 tag translation)

Ethernet MultiPoint Bridging over Ethernet (MPBE)—The incoming double tag is uniquely mapped to a single dot1q tag that is then used to do MPBE.

Double tag MPBE—The ingress line uses double tags in the ingress packet to look up the bridging VLAN. The double tags are popped and the egress line card adds new double tags and sends the packet out.

Double tag routing—Same as regular dot1q tag routing except that double tags are used to identify the hidden VLAN.

  • Local VLAN significance—VLAN tags are significant only to the port.

For the Cisco 7600 Series ES+ line card, the subinterface gets a hidden VLAN (a VLAN that is not configured and is allocated internally) associated to the subinterface. The hidden VLAN number has no correlation with the encapsulation VLAN (the VLAN visible to the user or in the wire). Because the encapsulation is local to the port, you can have the same encapsulation VLAN in multiple ports.

  • Scalable EoMPLS VC—Single tag packets are sent across the tunnel.
  • QinQ policing and QoS
  • Layer 2 protocol data unit (PDU) packet

Starting with Cisco IOS Release 15.4(2)S, when you use connect and xconnect command, the CDP, DTP, and VTP packets are forwarded transparently only if they are tagged. See Table 4-39 for more information.

With bridge-domain command, if the Layer 2 PDUs are tagged, packets are dropped by default; if the Layer 2 PDUs are untagged, packets are treated per the physical port configuration. (With an untagged service instance with bridge-domain command, the CPU stops the PDU depending on the configuration). When the feature is configured on the EFP, the BPDU is passed by the EFP to the feature which makes the decision accordingly.

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines when configuring Flexible QinQ Mapping and Service Awareness on the Cisco 7600 Series ES+ line cards:

  • Service Scalability:

Service Instances per network processor: 8000

Service instances per Line Card: 16000

Service instances per port channel: 8000. This is subject to the number of members per NP. This value would reduce by the factor of the member links per NP. If the member links are spread across NPs, then the maximum number of service instances per port channel is unchanged.

Using TCAM entries: The number of TCAMs an EVC uses depends on the encapsulation configured on the TCAM as shown in the following examples.

Example 1

service instance 1 eth

encap dot1q 100

TCAMS used - 1

Example 2

service instance 1 eth

encap dot1q 200 second dot1q 300

TCAMs used - 1

Example 3

service instance 1 eth

encap dot1q 201, 202

TCAMs used - 2 (one for each encapsulation)

Example 4

service instance 1 eth

encap dot1q 20-40

TCAMs used - 4

First entry to match vlans 20-23

Second entry to match vlans 24-31

Third entry to match vlans 32-39

Fourth entry to match vlan 40

A range does not always mean multiple TCAMs as shown in this example where only one TCAM entry is used.

Example 5

service instance 1 ethernet

encap dot1q 8-15

service instance 2 ethernet

encap dot1q 2000 second-dot1q 96-127

TCAMs used per EVC : 1

Service instances per router: 32, 000

Bridge-domains per router: 4, 000

Local switching: 16, 000

Xconnect: 16, 000

Subinterface: 2, 000

Number of service instance on a particular domain: 110 per NP

  • QoS Scalability:

Service instances per router: 32, 000

Bridge-domains: 4, 000

Local switching: 16, 000

Xconnect: 16, 000

Subinterface: 2, 000

  • QoS Scalability:

Shaping: Parent queue is 2,000 and child queue is 16,000

Marking: Parent queue is 2,000 and child queue is 16,000

Maximum number of child queues (leaf) supported for ES+T line card is 16 per port.

  • Modular QoS CLI (MQC) actions supported include:

Shaping

Bandwidth

Two priority queues per policy

The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner cos command

WRED aggregate

Queue-limit

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. service instance id ethernet [service-name]

5. encapsulation dot1q vlan-id

6. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}}symmetric

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

service instance id ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric

Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Examples

Single Tag VLAN Connect

This example shows an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with a dot1q tag of 11. No MAC learning is involved.


Note Because there is a VLAN translation end to end, Layer2 protocol need to be carefuly considered. Typically, the use case has both sides on the same encapsulation.


This example shows a typical configuration of a DSLAM facing port of the first PE router.

 
! DSLAM facing port
Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
!L2 facing port
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
! connect service
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101
 

Double Tag VLAN Connect

In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved.

This example shows a typical configuration of a MPLS core facting port of the first PE router..

 
! DSLAM facing port
Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
!L2 facing port
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
! connect service
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101

 

Selective QinQ with Xconnect

This configuration uses EoMPLS under the single tag subinterface to forward packets. This example shows a typical configuration of a MPLS core facting port of the second PE router.

 

DSLAM facing port

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60
Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect
!
Router(config)# interface Loopback1
Router(config-if)# ip address 1.1.1.1 255.255.255.255

 

MPLS core facing port

Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp

MPLS core facing port

Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# ip address 192.168.1.2 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp
!
Router(config)# interface Loopback1
Router(config-if)# ip address 2.2.2.2 255.255.255.255
 

CE facing EoMPLS configuration

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 1000
Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect
 

Selective QinQ with Layer 2 Switching

This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is the same as MPBE; only the rewrites for each service instance are different.

 

DSLAM facing port, single tag incoming

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 11

 

QinQ VLAN

Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk vlan allow 11

Double Tag Translation (2-to-2 Tag Translation)

In this configuration, double-tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2 switched to the bridge domain VLAN.

 

QinQ facing port

Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20 symmetric
Router(config-if-srv)# bridge-domain 200

 

QinQ VLAN

Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# bridge-domain 200

Double Tag Termination (2 to 1 Tag Translation)

The configuration in this example uses the Layer 2 switching.

Double tag traffic

Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 10
!
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
!
Router(config)# interface TenGigabitEthernet 1/3
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 30
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10

Verification

Use these commands to verify operation.

 

Command
Purpose

Router# show ethernet service evc [id evc-id | interface interface-id] [detail]

Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.

Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]

Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.

Router# show ethernet service interface [interface-id] [detail]

Displays information in the Port Data Block (PDB).

Router# show mpls l2 transport vc detail

Displays details of the virtual connection (VC).

Router# show mpls forwarding

Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB).

Note Output should have the label entry l2ckt.

Router# show connect

Displays statistics and other information about Frame-Relay-to-ATM Network Interworking (FRF.5) and Frame Relay-to-ATM Service Interworking (FRF.8) connections.

Router# show xconnect

Displays information about cross-connect attachment circuits and pseudowires.

Troubleshooting

Use these debug commands to troubleshoot Flexible QinQ feature.

Debug commands

 

Command
Purpose

[no] debug ethernet service evc [id <evc-id>]

Enables EVC debugging on the RP. If no EVC ID is specified, debugging is enabled for all EVCs on the system.

[no] debug ethernet service instance [id <instance-id> interface <interface-id> | interface <interface-id>]

Enables EFP debugging on the RP. If no options are specified, debugging for all EFPs is enabled. If an EFP ID and interface are specified, only those debug messages associated with the EFP are displayed as the output. If only an interface is specified, debug messages for all EFPs on that interface is displayed.

[no] debug ethernet service interface [<interface-id>]

Enables PDB debugging.

[no] debug ethernet service api

Enables debugging between Ethernet Services Infrastructure and its clients.

debug ethernet service oam-mgr

Enables OAM Manager debugging, to debug OAM inter-working.

[no] debug ethernet service error

Enables ethernet service error debugging.

[no] debug ethernet service all

Enables EI debugging messages for all PDBs, EVCs and EFPs

Table 4-4 provides the troubleshooting solutions for the Flexible mapping feature.

Table 4-4 Troubleshooting Flexible mapping feature

Problem
Solution

Erroneous TCAM entries.

Use the show hw-module subslot subslot tcam command to verify and the TCAM entries. Share the output with TAC for further investigation.

Incorrect virtual VLAN IDs on a QinQ subinterface.

Use the test hw-mod subslot subslot command to verify the virtual VLAN ID values on a QinQ subinterface. Share the output with TAC for further investigation.

Wrong interface configured and tag manipulation incorrectly programmed.

Use the command show platform np interface detail to verfiy the interface and tag details. Share the output with TAC for further investigation.

VLAN ID is incorrectly programmed

Use the command show hw-module subslot subslot tcam all_entries vlan to verify the VLAN ID details. Share the output with TAC for further investigation.

Inner, outer start/end VLANs incorrectly programmed.

Use the show platform np efp command to verify the VLAN details. Share the output with TAC for further investigation.

Erroneous TCAM entries on the platform

Use the show plat soft qos tcamfeature and show plat soft qos tcamt commands to verify the TCAM entries. Share the output with TAC for further investigation.

Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards

MultiPoint Bridging over Ethernet (MPBE) on Cisco 7600 Series ES+ line cards provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only through Ethernet Virtual Connection Services (EVCS) service instances.

EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.

For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain traffic packets from one service instance to another. Filtering occurs before and after the rewrite to ensure that the packet goes only to the intended service instance.

You can use MPBE to:

  • Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and Layer 2 bridging on the same physical port.
  • Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can be in the same physical port or in different ports.
  • Configure multiple service instances with different encapsulations and map them to a single bridge domain.
  • Perform local switching between service instances under the same bridge domain.
  • Perform local switching across different physical interfaces using service instances that are part of the same bridge domain.
  • Replicate flooded packets from the core to all service instances under the bridge domain.
  • Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain VLAN.

MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:

  • Single tag termination
  • Single tag tunneling
  • Single tag translation
  • Double tag termination
  • Double tag tunneling
  • Double tag translation
  • Selective QinQ translation

Restrictions and Usage Guidelines

When configuring the MPBE over Ethernet on Cisco 7600 Series ES+ line cards, follow these restrictions and usage guidelines:

  • Each service instance is considered as a separate circuit under the bridge-domain.
  • Encapsulation can be dot1q or QinQ packets.
  • 440 MPB VCs are supported under one bridge-domain (110 per network processor).
  • IGMP snooping is supported with MPB VCs as long as the service instance is terminated on the bridge-domain (must pop all tags, symmetric).
  • Split Horizon is supported with MPB VCs.
  • Untagged BPDU packets can be peered, dropped, or forwarded as data.
  • Tagged BPDU packets can be dropped or forwarded as data.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. [no] service instance id {Ethernet [service-name]}

5. encapsulation dot1q vlan-id [second-dot1q vlan-id]

6. [no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

7. [no] bridge-domain bridge-id

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

[no] service instance id {Ethernet [service-name]}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id [second-dot1q vlan-id]

 

Router(config-if-srv)# encapsulation dot1q 10

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

[no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag push dot1q 200 symmetric

This command specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Note If this command is not configured, then the frame is left intact on ingress (the service instance is equivalent to a trunk port).

Step 7

[no] bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Examples

Single Tag Termination Example

In this example, the single tag termination identifies customers based on a single VLAN tag and maps the single-VLAN tag to the bridge-domain.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 12

Single Tag Tunneling Example

In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the packet.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 200

Single Tag Translation Example

In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to the packet.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 3/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric
Router(config-if-srv)# bridge-domain 200

Double Tag Tunneling Example

In this double tag tunneling example, the incoming VLAN tags are not removed but continue with the packet.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# bridge-domain 200

Double Tag Termination Configuration Example

In this double-tag termination example, the ingress receives double tags that identify the bridge VLAN; the double tags are stripped (terminated) from the packet.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10 inner 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2
Router(config-if-srv)# encapsulation dot1q 40 inner 30
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 200

Double-Tag Translation Configuration Example

In this example, double tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer-2-switched to the bridge-domain VLAN.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30 symmetric
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 30
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20 symmetric
Router(config-if-srv)# bridge-domain 200

Selective QinQ Configuration Example

In this example, a range of VLANs is configured and plugged into a single MPB VC.

Router# enable
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 200
 
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 200

Untagged Traffic Configuration Example

In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation untagged
Router(config-if-srv)# bridge-domain 11
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 11

MPBE with Split Horizon Configuration Example

In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from which the traffic originated.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# no ip address
Router(config-if)# service instance 1000 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20
Router(config-if-srv)# bridge-domain 100 split-horizon
Router(config-if)# service instance 1001 ethernet
Router(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30
Router(config-if-srv)# bridge-domain 101 split-horizon
Router(config-if)# service instance 1010 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10 second-dot1q 100 symmetric
Router(config-if-srv)# bridge-domain 10 split-horizon
Router(config-if)# mls qos trust dscp
 

In this example, service instances are configured on Ethernet interfaces and terminated on the bridge domain.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 1000
Router(config-if-srv)# bridge-domain 10
 
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 10

Verification

Use these commands to verify operation.

 

Command
Purpose

Router# show ethernet service evc [id evc-id | interface interface-id] [detail]

Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC.

Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]

Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface.

Router# show ethernet service interface [interface-id] [detail]

Displays information in the Port Data Block (PDB).

Router# show ethernet service instance summary

Displays the overall count for service instance as well as the service instance count for individual interfaces.

Backup Interface for Flexible UNI

The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices.

You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs are designated as primary and backup and have identical configurations. If the primary interface fails, the service is automatically transferred to the backup interface.

Figure 4-2 shows an example of how Flexible UNIs can be used when the Cisco 7600 series router is configured as a dual-homed N-PE (NPE1) and as a dual-homed U-PE (UPE2).

Figure 4-2 Backup Interface for Dual-Homed Devices

 


Note The configurations on the primary and backup interfaces must be identical.


The primary interface is the interface for which you configure a backup. During operation, the primary interface is active and the backup (secondary) interface operates in standby mode. If the primary interface goes down (due to loss of signal), the router begins using the backup interface.

While the primary interface is active (up) the backup interface is in standby mode. If the primary interface goes down, the backup interface transitions to the up state and the router begins using it in place of the primary. When the primary interface comes back up, the backup interface transitions back to standby mode. While in standby mode, the backup interface is effectively down and the router does not monitor its state or gather statistics for it.

This feature provides the following benefits:

  • Supports the following Ethernet virtual circuit (EVC) features:

Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged).

Frame rewrite: Any supported (ingress and egress with push, pop, and translate).

Frame forwarding: MultiPoint Bridging over Ethernet (MPBE), xconnect, connect.

Quality of Service (QoS) on EVC.

  • Supports Layer 3 (L3) termination.
  • Supports several types of uplinks: MultiProtocol Label Switching (MPLS), Virtual Private LAN Service (VPLS), and switchports.

The Backup Interface for Flexible UNI feature makes use of these Ethernet components:

  • Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network. For more information about EVCs, see the “Troubleshooting” section.
  • Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface. An EVC that uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of every device that the EVC passes through.

Restriction and Usage Guidelines

Observe these restrictions and usage guidelines as you configure a backup interface for Flexible UNI on the router:

  • Hardware and software support:

Supported on Cisco 7600 Series ES+ and ES20 line cards.

Supported with the Route Switch Processor 720 and Supervisor Engine 720.

Requires Cisco IOS Release 12.2(33)SRD or later.

  • You can use the same IP address on both the primary and secondary interfaces. This enables the interface to support L3 termination (single or double tagged).
  • The configurations on the primary and backup interfaces must match. The router does not check that the configurations match; however, the feature does not work if the configurations are not the same.

Note If the configuration includes the xconnect command, you must specify a different VCID on the primary and backup interfaces.


  • The duplicate resources needed for the primary and secondary interfaces are taken from the total resources available on the router and thus affect available resources. For example, each xconnect command consumes resources on both the primary and backup interfaces.
  • Any features configured on the primary and backup interfaces (such as bridge-domain , xconnect , and connect commands ) transition up or down as the interface itself transitions between states.
  • Switchover time between primary and backup interfaces is best effort. The time it takes the backup interface to transition from standby to active mode depends on the link-state detection time and the amount of time needed for EVCs and their features to transition to the up state.
  • Configuration changes and administrative actions made on the primary interface are automatically reflected on the backup interface.
  • The router monitors and gathers statistics for the active interface only, not the backup. During normal operation, the primary interface is active; however, if the primary goes down, the backup becomes active and the router begins monitoring and gathering statistics for it.
  • When the primary interface comes back up, the backup interface always transitions back to standby mode. Once the signal is restored on the primary interface, there is no way to prevent the interface from being restored as the primary.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type slot/port

4. backup interface type interface


Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the “Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards” section and the “Configuring Any Transport over MPLS” section.


5. (Optional) backup delay enable-delay disable-delay

6. (Optional) backup load enable-percent disable-percent

7. exit

8. (Optional) connect primary interface srv-inst interface srv-inst

9. (Optional) connect backup interface srv-inst interface srv-inst

10. (Optional) connect primary interface srv-inst1 interface srv-inst2

11. (Optional) connect backup interface srv-inst1 interface srv-inst2

12. exit

DETAILED STEPS

 

Command or Action
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

Router(config)# interface type slot/port



 

 

Router(config)# interface gigabitethernet 3/1

Selects the primary interface. This is the interface you are creating a backup interface for. For example, interface gigabitEthernet 3/1 selects the interface for port1 of the Gigabit Ethernet card installed in slot 3.

  • type specifies the interface type. Valid values are gigabitethernet or tengigabitethernet .
  • slot/port specifies the location of the interface.

Step 4

Router(config-if)# backup interface type interface

 

Router(config)# backup interface gigabitethernet 4/1

Selects the interface to serve as a backup interface.

Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the “Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards” section and the “Configuring Any Transport over MPLS” section.

Step 5

Router(config-if)# backup delay enable - delay disable-delay






 

Router(config-if)# backup delay 0 0

(Optional) Specifies a time delay (in seconds) for enabling or disabling the backup interface.

  • enable-delay is the amount of time to wait after the primary interface goes down before bringing up the backup interface.
  • disable-delay is the amount of time to wait after the primary interface comes back up before restoring the backup interface to the standby (down) state

Note For the backup interface for Flexible UNI feature, do not change the default delay period (0 0) or the feature may not work correctly.

Step 6

Router(config-if)# backup load enable-percent disable-percent

 

Router(config-if)# backup load 50 10

(Optional) Specifies the thresholds of traffic load on the primary interface (as a percentage of the total capacity) at which to enable and disable the backup interface.

  • enable-percent —Activate the backup interface when the traffic load on the primary exceeds this percentage of its total capacity.
  • disable-percent —Deactivate the backup interface when the combined load of both primary and backup returns to this percentage of the primary interface’s capacity.

Applying the settings from the example to a primary interface with 10-Mbyte capacity, the router enables the backup interface when traffic load on the primary exceeds 5 mb (50%), and disables the backup when combined traffic on both interfaces falls below 1 Mbyte (10%).

Step 7

exit

 

Router(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 8

Router(config)# connect primary interface srv-inst interface srv-inst

 

Router(config-if)# connect primary gi3/2 gi3/3

(Optional) Creates a local connection between a single service instance ( srv-inst ) on two different interfaces.

The connect primary command creates a connection between primary interfaces.

Step 9

Router(config)# connect backup interface srv-inst interface srv-inst

 

Router(config-if)# connect backup gi4/2 gi4/2

(Optional) Creates a local connection between a single service instance ( srv-inst ) on two different interfaces.

The connect backup command creates a connection between backup interfaces.

Step 10

Router(config)# connect primary interface srv-inst1 interface srv-inst2

 

Router(config-if)# connect primary gi3/2 gi3/3

(Optional) Enables local switching between different service instances ( srv-inst1 and srv-inst2 ) on the same port.

Use the connect primary command to create a connection on a primary interface.

Step 11

Router(config)# connect backup interface srv-inst1 interface srv-inst2

 

Router(config-if)# connect backup gi4/2 gi4/3

(Optional) Enables local switching between different service instances ( srv-inst1 and srv-inst2 ) on the same port.

Use the connect backup command to create a connection on a backup interface.

Step 12

exit

 

Router(config-if)# exit

Exits interface configuration mode.


Note If you have configured any interface (L3, Switchport, or EVC) using the backup interface command, then you are not supposed to run the shutdown command on the active interface. If you run shutdown, then the standby interface will also go down.


The following example shows a sample configuration in which:

  • gi3/1 is the primary interface and gi4/1 is the backup interface.
  • Each interface supports two service instances (2 and 4), and each service instance uses a different type of forwarding ( bridge-domain and xconnect ).
  • The xconnect command for service instance 2 uses a different VCID on each interface.
 
Router# enable
Router# configure terminal
Router(config)# interface gi3/1
Router(config-if)# backup interface gi4/1
Router(config-if)# service instance 4 ethernet
Router(config-if-srv)# encapsulation dot1q 4
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 4
Router(config-if-srv)# exit
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 10.0.0.0 2 encap mpls
 
Router(config)# interface gi4/1
 
Router(config-if)# service instance 4 ethernet
Router(config-if-srv)# encapsulation dot1q 4
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 4
Router(config-if-srv)# exit
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 10.0.0.0 5 encap mpls

Verification

This section lists the commands to display information about the primary and backup interfaces configured on the router. In the examples that follow, the primary interface is gi3/1 and the secondary (backup) interface is gi3/11.

  • To display a list of backup interfaces, use the show backup command in privileged EXEC mode. Our sample output shows a single backup (secondary) interface:
 
Router# show backup
Primary Interface Secondary Interface Status
----------------- ------------------- ------
GigabitEthernet 3/1 GigabitEthernet 3/11 normal operation
 
 
  • To display information about a primary or backup interface, use the show interfaces command in privileged EXEC mode. Issue the command on the interface for which you want to display information. The following examples show the output displayed when the command is issued on the primary (gi3/1) and backup (gi3/11) interfaces:
 
Router# show interface gi3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet 3/11, failure delay 0 sec, secondary disable delay 0 sec, kickin load not set, kickout load not set
[…]
 
Router# show interface gi3/11
GigabitEthernet3/11 is standby mode, line protocol is down (disabled)

If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as shown in the command output that follows. Notice how the command output changes if you reissue the show backup and show interfaces commands at this time: the show backup status changes, the line protocol for gi3/1 is now down (notconnect), and the line protocol for gi3/11 is now up (connected).

 
Router# !!! Link gi3/1 (active) goes down…
22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down
22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/11, changed state to up
22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down
22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/11, changed state to up
 
Router# show backup
Primary Interface Secondary Interface Status
----------------- ------------------- ------
GigabitEthernet3/1 GigabitEthernet3/11 backup mode
 
Router# show interface gi3/1
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec,
 
Router# show interface gi3/11
GigabitEthernet3/11 is up, line protocol is up (connected)

Verification: show interface Command

If slot 2 on the router has an ES+ 40 LC (primary interface), and slot 3 has ES 20 LC (backup interface), the show interface command displays the following output:

7609-PE-AGG-1#show backup
Primary Interface Secondary Interface Status
------------------------- ------------------------- ------
GigabitEthernet2/24 GigabitEthernet3/0/6 normal operation
7609-PE-AGG-1#sh int gi2/24
GigabitEthernet2/24 is up, line protocol is up (connected)
Hardware is X40G 1Gb 802.3, address is 6400.f175.9e00 (bia 6400.f175.9e00)
Description: *******Connected to UPE-1 Gig2/24**********
Backup interface GigabitEthernet3/0/6, failure delay 0 sec, secondary disable delay 0 sec,
kickin load not set, kickout load not set
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, clock source internal, media type is SX
input flow-control is off, output flow-control is off
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:42, output 00:00:06, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 7441000 bits/sec, 1117 packets/sec
5 minute output rate 3550000 bits/sec, 641 packets/sec
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 745 pkt, 362690 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
9464396 packets input, 7774746838 bytes, 0 no buffer
Received 4101619 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
5457466 packets output, 3714363660 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
7609-PE-AGG-1#sh int gi3/0/6
GigabitEthernet3/0/6 is standby mode, line protocol is down (disabled)
Hardware is GigEther SPA, address is 6400.f175.9e00 (bia 6400.f175.9e00)
Description: **connected to UPE-1 Gig2/6 **
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full-duplex, 1000Mb/s
input flow-control is off, output flow-control is off
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

Note On ES+ line cards, when you run the show interface command, Layer 2 multicast packets are accounted under the Broadcast category.


Example

Figure 4-3 shows a sample configuration of a backup interface for Flexible UNI. The configuration includes several EVCs (service instances), configured as follows:

  • Service instance 4 is configured on primary and backup interfaces (links) that terminate in a bridge domain, with a VPLS uplink onto network provider edge NPE12.
  • Service instance 2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS on NPE12.

Figure 4-3 Backup Interface for Flexible UNI Configuration

 

This is the configuration at NPE10:

interface ge2/4.4
description npe10 to npe11 gi3/11 – backup - bridged
encapsulation dot1q 4
ip address 100.4.1.33 255.255.255.0
 
interface ge2/4.2
description npe10 to npe11 gi3/11 – backup – xconnect
encapsulation dot1q 2
ip address 100.2.1.33 255.255.255.0
 

This is the configuration at NPE14:

interface ge1/3.4
description npe14 to npe11 gi3/1 – primary - bridged
encapsulation dot1q 4
ip address 100.4.1.22 255.255.255.0
 
interface ge1/3.2
description npe14 to npe11 gi3/1 – primary - xconnect
encapsulation dot1q 2
ip address 100.2.1.22 255.255.255.0
 

This is the configuration at 72a, at the user-facing provider edge (U-PE):

interface fa1/0.4
description 72a to npe12 – bridged
encapsulation dot1q 4
ip address 100.4.1.12 255.255.255.0
 
interface fa1/0.2
description 72a to npe12 - xconnect
encapsulation dot1q 2
ip address 100.2.1.12 255.255.255.0
 

This is the configuration at NPE11:

interface gigabitEthernet 3/1
backup interface gigabitEthernet 3/11
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 2 encapsulation mpls
service instance 4 ethernet
encapsulation dot1q 4
rewrite ingress tag pop 1 symmetric
bridge-domain 4
 
interface gigabitEthernet 3/11
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 21 encapsulation mpls
service instance 4 ethernet
encapsulation dot1q 4
rewrite ingress tag pop 1 symmetric
bridge-domain 4
 

This is the configuration at NPE12:

interface GE-WAN 4/3
description npe11 to npe12
ip address 10.3.3.1 255.255.255.0
mpls ip
l2 vfi vlan4 manual
vpn id 4
neighbor 12.0.0.1 4 encapsulation mpls
interface Vlan 4
xconnect vfi vlan4
 
l2 vfi vlan4 manual
vpn id 4
neighbor 11.0.0.1 4 encap mpls
interface Vlan4
description npe12 to npe11 xconnect
xconnect vfi vlan4
l2 vfi vlan2 manual
vpn id 2
neighbor 11.0.0.1 2 encap mpls
neighbor 11.0.0.1 21 encap mpls
interface Vlan2
xconnect vfi vlan2
interface GE-WAN 9/4
description npe12 to npe11
ip address 10.3.3.2 255.255.255.0
mpls ip
 
interface fastEthernet 8/2
description npe12 to 72a
switchport
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 2-4
 

The primary interface is enabled:

NPE 11# show backup
Primary interface Secondary interface Status
--------------------------------------------
GigabitEthernet3/1GigabitEthernet3/11 normal operation
NPE-11#sh int gi3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec,kicking load not set, kickout load not set,
[...]
NPE-11# show interface gi3/11
GigabitEthernet 3/11 is standby mode, line protocol is down (disabled)
 

The primary link is disabled:

NPE 11#!!!Link gi3/1 (active) goes down
22:11:11: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to down
22:11:12: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to up
22:11:12: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/1, changed state to down
22:11:13: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/11, changed state to up
NP-11# show backup
Primary interface Secondary interface Status
--------------------------------------------
GigabitEthernet3/1GigabitEthernet3/11 backup mode
NP-11#sh int gi3/1
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec
NPE-11#sh int gi3/11
GigabitEthernet 3/11 is up, line protocol is up (connected)

Troubleshooting

Table 4-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature.

Table 4-5 Troubleshooting Scenarios for backup interface of the Flexible UNI feature

Problem
Solution

The backup interface is in a standby state or the line protocol is down

Use the show interfaces command on the specific interface in privileged EXEC mode to display interface and line protocol details. Share the output with TAC for further investigation.

This sample output of the command is displayed when the command on the primary (gi3/0/0) and backup (gi3/0/11) interfaces:

NPE-11# show int gi3/0/0

GigabitEthernet3/0/0 is up, line protocol is up (connected)

Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)

Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay

0 sec, kickin load not set, kickout load not set

[...]

NPE-11# show int gi3/0/11

GigabitEthernet3/0/11 is standby mode, line protocol is down (disabled)

EVC On Port-Channel

An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links.The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.

For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see Configuring EtherChannels at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/channel.html .

The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types.

Load balancing is accomplished on a Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links. In a default load balancing, you have no control over how the EFPs are grouped together, and sometimes the EFP grouping may not be ideal. To avoid this, use manual load balancing to control the EFP grouping.

Restrictions and Usage Guidelines

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:

  • All member links of the port-channel are on Cisco 7600-ES+ line cards.
  • Bridge-domain, xconnect, connect EVCs, switchports, and IP subinterfaces are allowed over the port-channel interface and the main interface.
  • The EFP limit decreases with the number of member links on the NP. For instance, if there are 4 members within the same NP, the EVC limit on the NP decreases to 2000, that is (8000/4).

Note For a switchport (not for data traffic), use the service instance ethernet command to create a service instance to support OAM requirements.


  • If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.
  • A physical port that is part of an EVC port-channel cannot have switchport configuration.
  • Total number of port channels EVCs per box is 16000.
  • Statically configuring port-channel membership with LACP is not supported.
  • You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS.
  • You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policy-maps or in parent of HQoS policy-maps.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel number

4. [no] ip address

5. [no] service instance id Ethernet [service-name]

6. encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

8. [no] bridge-domain bridge-id or xconnect vfi vfi name

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface port-channel number

 

Router(config)# interface port-channel 11

Creates the port-channel interface.

Step 4

[no] ip address

 

Router(config-if)# no ip address

Assigns a subnet mask to the ethernet channel.

Step 5

[no] service instance id Ethernet [service-name}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 6

encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 7

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric

Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Step 8

[no] bridge-domain bridge-id

or

xconnect vfi vfi name

 

Router(config-if-srv)# bridge-domain 12

The bridge-domain command binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

The xconnect command specifies the Layer 2 VFI that you are binding to the VLAN port.

Examples

This example shows a single port-channel interface is created with three possible member links from slots 1 and 2:

Router# enable
Router# configure terminal
Router(config)# interface Port-channel5
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# channel-group 5 mode on
 

This example shows scalable Eompls and EVC connect sample configuration.

Router#enable
Router#configure terminal
Router(config)#interface GigabitEthernet 3/0/0
Router(config-if)#service instance 10 ethernet
Router(config-srv)#encapsulation dot1q 20
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config-if-srv)#exit
Router(config-if)#exit
Router(config)#interface GigabitEthernet 3/0/1
Router(config-if)#service instance 12 ethernet
Router(config-srv)#encapsulation dot1q 30
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config-if-srv)#exit
Router(config-if)#exit
Router(config)#connect TEST GigabitEthernet 3/0/0 10 GigabitEthernet 3/0/1 12
Router#sh connection all
 
ID Name Segment 1 Segment 2 State
================================================================================
57 TEST Gi3/0/0:10 Gi3/0/1:12 UP
 

This is a typical QoS configuration.

Router# enable
Router# configure terminal
Router(config)# interface port-channel10
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
Router(config-if-srv)# bridge-domain 1500
 

se the following commands to verify the configuration.

 

Command
Purpose

Router# show ethernet service evc [id evc-id | interface interface-id] [detail]

Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.

Router# show ethernet service instance interface port-channel number [summary]

Displays the summary of all the configured EVCs within the interface.

Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]

Displays information about one or more service instances. If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.

Router# show mpls l2 transport vc detail

Displays detailed information related to the virtual connection (VC).

Router# show mpls forwarding

Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB).

Note Output should have the label entry l2ckt.

Router# show etherchannel summary

Displays view all EtherChannel groups states and ports.

Router# show policy-map interface service instance

Displays the policy-map information for a given service instance.

Troubleshooting

Table 4-6 provides the troubleshooting solutions for the EVC on a Port-Channel.

Table 4-6 Troubleshooting Scenarios for EVC on a Port-Channel

Problem
Solution

Port data block issues in port channel

Use the show ethernet service interface [interface-id] [detail] command to view information on the port data. Share the output with TAC for further investigation.

Issues with platform events or errors

Use the debug platform npc custom-ether client [event, error] command to debug and trace platform issues. Share the output with TAC for further investigation.

Configuring SPAN on EVC

Currently, traffic mirroring, lawful intercept, or Switched Port Analyzer (SPAN) on a per service instance is unavailable.

The existing command line interface supports configuring interface and VLAN as the local SPAN source. The same command line interface is enhanced to accept service instance IDs along with the interface. Since an EVC is support only for the local session SPAN, service instance options for the SPAN source are added in the local SPAN configuration submode.

You configure SPAN to intercept traffic in three ways:

  • SPAN on Port: The traffic on all EVCs on the port or port channel is included for a SPAN session along with routed traffic on that port.
  • SPAN on VLAN: The traffic on all EVC bridge-domains with the same VLAN is included for a SPAN session along with other switchports on the same VLAN.
  • SPAN on EVC: The traffic on a given EFP or a set of EFPs is included for a SPAN session.

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines while configuring SPAN on EVC, follow these restrictions and usage guidelines:

  • Only Local SPAN is supported.
  • EVC SPAN is effective only if the EVC is on the ES+ line card.
  • EVC as a SPAN destination is not supported.
  • Egress SPAN packet does not undergo QoS processing.
  • If a combination of switchports and EVC bridge-domain exists, then for flood case packet on both is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
  • If a combination of different EVC bridge-domain exists, then for flood case packet on all the EVCs is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
  • EVC SPAN does not work with multiple destination ports.
  • For EVCs configured as a part of more than one SPAN session (EVC, VLAN, or port), traffic is monitored on only one session.
  • EFPs and VLAN cannot be configured as source in the same monitor session.
  • For a 10G port, the aggregate of ingress traffic and SPAN traffic cannot exceed 10G.
  • For a 10G port with port-shaper, the aggregate of port traffic and SPAN traffic cannot exceed the port-shaper.
  • For a 1G port, the total SPAN traffic can be as high as 10G, but due to network processor limitations and fabric bottleneck, the net traffic can be reduced.

Configuring SPAN on EVC

Complete the following steps to configure SPAN on EVC.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel number

4. [no] ip address

5. [no] service instance id Ethernet [service-name]

6. encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

8. exit

9. monitor session local_span_session_number type [local | local-tx]

10. source {interface | service instance | vlan}{GigabitEthernet |Port-channel | TenGigabitEthernet} [ rx | tx | both ]

11. destination interface {GigabitEthernet |Port-channel | TenGigabitEthernet}

12. [no] shutdown

13. end

DETAILED STEPS

 

Command
Purpose

Step 1

enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Enters global configuration mode.

Step 3

interface port-channel number

Creates the port-channel interface.

Step 4

[no] ip address

Assigns a subnet mask to the ethernet channel.

Step 5

[no] service instance id Ethernet [service-name}

Creates a service instance (an instantiation of an EVC) on an interface and sets the device to the ethernet service configuration submode.

Step 6

encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}

Defines the matching criteria to map ingress dot1q frames on an interface to the appropriate service instance.

Step 7

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

Specifies the tag manipulation on the frame ingress to the service instance.

Step 8

exit

Exits to global configuration mode.

Step 9

monitor session local_span_session_number type [local | local-tx]

Configures a monitor session using a SPAN session number and enters the SPAN session configuration mode.

Step 10

source {interface | service instance | vlan}{GigabitEthernet |Port-channel | TenGigabitEthernet} [ rx | tx | both ]

Associates the SPAN session number with source ports, VLANs, or EVC, and selects the traffic direction to be monitored.

Step 11

destination interface {GigabitEthernet |Port-channel | TenGigabitEthernet}

Associates the SPAN session number with the destinations.

Step 12

no shutdown

Activates the SPAN session.

Step 13

end

Exits configuration mode.

Sample Configuration

This is an example for configuring SPAN on EVC.

Router# enable
Router# configure terminal
Router(config)# interface port-channel 11
Router(config-if)# no ip address
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 13
Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric
Router(config-if-srv)# exit
Router(config)# monitor session 1 type local
Router(config-mon-local)# source service instance 2 - 100 Port-channel 1 both
Router(config-mon-local)# destination interface Port-channel 3
Router(config-mon-local)# no shut
Router(config-mon-local)# end

Verifying SPAN on EVC

This section provides the commands to verify the SPAN configuration.

Router# show monitor session 1
Session 1
---------
Type : Local Session
Status : Admin Enabled
Source EFPs :
Both : Po1: 2-100
Destination Ports : Po3
 
Router# show run | section monitor
monitor session 1 type local
source service instance 2 - 100 Port-channel1
destination interface Po3

Troubleshooting

For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Information About ERSPAN on EVC

Cisco 7600 routers support the Encapsulated Remote Switched Port Analyzer (ERSPAN) feature on a per service instance basis. It is the Ethernet Virtual Circuits (EVC) infrastructure that supports remote monitoring and troubleshooting on a per service instance basis. ERSPAN on EVC is supported on ES+ line cards.

Interception of traffic on EVC can be configured in the following ways:

  • ERSPAN on Port: The configuration includes traffic on EVCs, switchports and routed traffic on the port.
  • ERSPAN on VLAN: The configuration includes traffic on all EVC BDs in the box (on port or port channel) with the same VLAN for a SPAN session along with other switch ports on the same VLAN.
  • ERSPAN on EVC: The configuration includes traffic on a given EFP or a set of EFPs (on port or port channel) for a SPAN session.

SPAN, sometimes called port mirroring or port monitoring, allows network traffic to be analyzed by a network analyzer such as a Cisco Switch Probe or other Remote Monitoring (RMON) probes. SPAN lets you monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports where the network analyzer is attached.

ERSPAN monitors traffic on multiple network devices across an IP network, and sends that traffic in an encapsulated envelope to destination analyzers. ERSPAN can be used to monitor traffic remotely.

ERSPAN monitors ingress, egress, or both kinds of network traffic. Encapsulated ERSPAN packets are routed from a host through the routed network to the destination device where they are decapsulated and forwarded to the attached network analyzer. The destination may also be on the same Layer 2 or Layer 3 network as the source.

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE encapsulated traffic, and an ERSPAN destination session.

EVCs define a Layer 2 bridging architecture that supports Ethernet services. EVC supports service convergence over Ethernet. An EVC is a conceptual service pipe within a service provider network. Metro-Ethernet Forum (MEF) defines EVC as an association between two or more user network interfaces that identifies a point-to-point or multipoint-to-multipoint path within the service provider network.

EVC is the device local object (container) for network-wide service parameters and provides one-to-many mapping from EVC to Service Instance. Its support extends to a mix of Layer 2 and Layer 3 services on the same physical port.

EVC allows routers to reach multiple intranet and extranet locations from a single physical port. Routers see subinterfaces through which they access other routers.

Bridge Domain (BD) is the Ethernet Broadcast Domain local to a device. It exists separately from VLANs. BD provides a one-to-many mapping from BD to service instances.

An Ethernet service instance is a transport-agnostic abstraction of an Ethernet service on an interface. A service instance classifies frames belonging to a particular Ethernet service. It applies features selectively to service frames, and defines forwarding actions and behavior.

Restrictions for ERSPAN on EVC Configuration

  • EVC ERSPAN is effective only if the EVC is on an ES+ line card.
  • EVC is not supported as ERSPAN destination.
  • Egress ERSPAN packets do not undergo QoS processing.
  • For egress SPAN configurations with a VLAN as the source, where the VLAN is also part of BD and switchport for the router, all traffic that goes on the VLAN is replicated and spanned.
  • Many service instances having the same BD results in a mix of BDs. In such situations, for egress SPAN configurations with VLAN as source, there is random selection and spanning. All EVCs are not spanned; single EVCs are randomly selected and spanned.
  • Existing implementations restrict the configuring of SPAN source as both interface and VLANs. The same restriction applies to EFP configurations. If the SPAN source is VLAN, then the interface or EFP cannot be the source.
  • Encapsulation requires a dedicated tunnel. When egress monitored traffic moves out of the tunnel interface to the remote router it allows no other traffic on the router.

Configuring the Source Session for ERSPAN on EVC

DETAILED STEPS

 

Command
Purpose

Step 1

enable

Example

rtr1# enable

Enables the privileged EXEC mode. Enter your password, if prompted.

Step 2

configure terminal

Example

rtr1# configure terminal

Enters the global configuration mode.

Step 3

monitor session session number type erspan-source

Example

rtr1(config)#monitor session 1 type erspan-source

Configures an ERSPAN source session number, and enters the ERSPAN source session configuration mode for the session.

Step 4

service instance range of EFPs interface source interface

Example

rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1

Configures the service instance range, and specifies the sub-interface with slot and port number.

Creates a service instance (an instantiation of an EVC) on an interface, and sets the device into the service instance submode.

Step 5

no shutdown

Example

rtr1(config-mon-erspan-src)#no shutdown

Enables the ERSPAN session, and saves it in the running configuration.

By default, the session is created in the shut state.

Step 6

destination

Example

rtr1(config-mon-erspan-src)#destination

Enters the ERSPAN source session destination configuration mode, and associates the SPAN session number with the destination.

Step 7

ip address ip address

Example

rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2

Configures the ERSPAN flow destination IP address, which must also be configured on an interface on the destination router and be entered in the ERSPAN destination session configuration.

Step 8

origin ip address ip address

Example

rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10

Configures the encapsulated packet Layer 3 source address.

Step 9

erspan-id erspan identifier

Example

rtr1(config-mon-erspan-src-dst)#erspan-id 100

Adds an ERSPAN ID to the session configuration. Configures the ID number used by the source and the destination sessions to identify the ERSPAN traffic.

This number is unique and within the limits permitted. It is identical for the source and the destination.

Step 10

end

Example

rtr1(config-mon-erspan-src-dst)#end

Exits the configuration mode.

Configuration Examples for ERSPAN on EVC Source Session

rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end

Note If the configurations exclude TX or RX, ERSPAN monitors both ingress and egress traffic.


The configuration examples for ERSPAN source session for ingress and egress traffic are as follows:

rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1 TX
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
 
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1 RX
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end

 

The following examples show ERSPAN on port channel configurations:

ERSPAN on Port-channel
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
 
ERSPAN on Port-channel(tx)
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1 tx
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
 
Port-channel (rx)
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1 rx
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end

Configuring the Destination Session for ERSPAN on EVC

DETAILED STEPS

Command
Purpose

Step 1

enable

Example

rtr3# enable

Enables the privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example

rtr3# configure terminal

Enters the global configuration mode.

Step 3

monitor session session number type erspan-destination

Example

rtr3(config)#monitor session 1 type erspan-destination

Configures an ERSPAN destination session number, and enters the ERSPAN destination session configuration mode for the session.

Step 4

destination interface interface slot/port

Example

rtr3(config-mon-erspan-dst)#destination interface GigabitEthernet7/19

Enters the ERSPAN destination session destination configuration mode, associates the SPAN session number with the destination, and specifies the sub-interface with slot and port number.

Step 5

no shutdown

Example

rtr3(config-mon-erspan-dst)#no shutdown

Enables the ERSPAN session and saves it in the running configuration.

By default, the session is created in the shut state.

Step 6

source

Example

rtr3(config-mon-erspan-dst)#source

Enters the ERSPAN destination session source configuration mode.

Step 7

ip address ip address

Example

rtr3(config-mon-erspan-dst-src)#ip address 40.40.40.2

Configures the ERSPAN flow destination IP address, which must also be configured on an interface on the destination router, and entered in the ERSPAN destination session configuration.

Step 8

erspan-id erspan identifier

Example

rtr3(config-mon-erspan-dst-src)#erspan-id 100

Adds an ERSPAN ID to the session configuration. Configures the ID number used by the source and destination sessions to identify the ERSPAN traffic.

This number is unique and within the prescribed limits. It is identical for the source and the destination.

Step 9

end

Example

rtr3(config-mon-erspan-dst-src)#end

Exits the configuration mode.

ERSPAN on EVC: Destination Session Configuration Example

rtr3(config)#monitor session 1 type erspan-destination
rtr3(config-mon-erspan-dst)#destination interface GigabitEthernet7/19
rtr3(config-mon-erspan-dst)#no shutdown
rtr3(config-mon-erspan-dst)#source
rtr3(config-mon-erspan-dst-src)#ip address 40.40.40.2
rtr3(config-mon-erspan-dst-src)#erspan-id 100
rtr3(config-mon-erspan-dst-src)#end

Verification of ERSPAN on EVC Configuration

Use the following command to verify the ERSPAN on EVC configurations:

show monitor session all

Verification Example for ERSPAN on EVC

rtr1#show monitor session all
Session 1
---------
Type : ERSPAN Destination Session
Status : Admin Disabled
Source IP Address : 1.1.1.1
Source ERSPAN ID : 100

LACP Support for EVC Port Channel

An Ethernet link bundle or port-channel is an aggregation of up to eight physical Ethernet links to form a single logical link for L2/L3 forwarding. Bundled Ethernet ports are used to increase the capacity of the logical link and provide high availability and redundancy. The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.

For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see "Configuring EtherChannels" at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/channel.html .

The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types. IEEE 802.3ad/Link Aggregation Control Protocol (LACP) provides an association of port-channels. The LACP support for EVC Port Channel feature supports service instances over bundled Ethernet links.

Ethernet flow points (EFPs) are configured under a port-channel. The traffic, carried by the EFPs, is load-balanced across member links. EFPs under a port-channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for an EFP uses only one of the member links. Load balancing is achieved by grouping EFPs and assigning them to a member link.

The scalability for a link-bundling EVC is 16000 per chassis. Port Channel EVC scalability for ES+ line cards is dependent on the same factors as EVCs configured under physical interfaces, with the number of member links and their distribution across the NPU as an additional parameter. EVC port-channel QoS leverages EVC QoS infrastructure. For more information on the scalable values, see Restrictions and Usage Guidelines.

Restrictions and Usage Guidelines

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:

  • All member links of the port-channel are on Cisco 7600-ES+ line cards.
  • Only bridge-domain, xconnect, connect EVCs, and IP subinterfaces are allowed over the port-channel interface. You cannot apply a switchport and EVC configuration under the same port-channel interface.
  • If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.
  • A physical port that is part of an EVC port-channel cannot have switchport configuration.
  • You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS.
  • You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policy-maps or in parent of HQoS policy-maps.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel

4. [no] ip address

5. service instance id Ethernet [service-name]

6. encapsulation dot1q vlan-id

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

8. [no] bridge-domain bridge-id

9. interface gigabitethernet slot/port

10. channel-protocol {lacp | pagp}

11. channel-group channel-group-number mode {active | on | passive}


Note The channel-group command options are applicable when configuring port-channel over EVC and the options active/passive are applicable when configuring port-channel over EVC with LACP.


DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface port-channel number

 

Router(config)# interface port-channel 12

Creates the port-channel interface.

Step 4

[no] ip address

 

Router(config-if)# no ip address

Assigns a subnet mask to the EtherChannel.

Step 5

[no] service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 6

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used to map ingress dot1q frames on an interface to the appropriate service instance.

Step 7

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric

Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Step 8

[no] bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 9

interface gigabitethernet slot/port

 

 

 

Router (config) # interface gig 5/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 10

channel-protocol {lacp | pagp}

 

Router(config-if)# channel-protocol lacp

Sets the protocol that is used on an interface to manage channeling.

Step 11

channel-group channel-group-number mode {active | on | passive}

 

Router(config-if)# channel-group 5 mode active

Assigns and configures an EtherChannel interface to an EtherChannel group.

Examples

In this example, a single port-channel interface is created with three possible member links from slots 1 and 2:

Router# enable
Router# configure terminal
Router(config)# interface Port-channel5
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 350
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 350
!
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 400
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 350
 
Router(config-if)# service instance 3 ethernet
Router(config-if-srv)# encapsulation dot1q 500
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 370
!
Router# enable
Router# configure terminal
Router(config)# interface Port-channel5.1
Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300
Router(config-if)# ip address 60.0.0.1 255.0.0.0
!
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
Router(config)# interface GigabitEthernet 1/3
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
 

This is a typical QoS configuration.

Router# enable
Router# configure terminal
Router(config)# interface port-channel10
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
Router(config-if-srv)# bridge-domain 1500
 

This is configuration for LACP over a configured EVC port-channel, under an interface:

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode ?
Router(config-if)# channel-group 5 mode active
Router(config-if)# channel-group 5 mode passive

 

This is a port-channel configuration:

Router# enable
Router# configure terminal
Router(config-if)# interface Port-channel102
Router(config-if)# mtu 9216
Router(config-if)# no ip address
Router(config-if)# lacp fast-switchover
Router(config-if)# lacp max-bundle 1
Router(config-if)# service instance 50 ethernet
Router(config-if)# encapsulation dot1q 50
Router(config-if)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy output lacp-parent
Router(config-if)# bridge-domain 50

 

This is a member links configuration:

Router# enable
Router# configure terminal
Router(config-if)# interface GigabitEthernet 3/12
Router(config-if)# mtu 9216
Router(config-if)# no ip address
Router(config-if)# lacp rate fast
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 102 mode active
 

Verification

Use these commands to verify EVC configuration.

 

Command
Purpose

Router# show ethernet service evc [id evc-id | interface interface-id] [detail]

Displays information that verifies details of a specific EVC, and also verifies if an EVC ID is specified for all the EVCs on an interface.

Router# show ethernet service instanceinterface-id port-channel number [summary]

Displays the summary of all the EVCs configured within the interface.

Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]

Displays information about one or more service instances. If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, data for all service instances on the given interface is displayed.

Router# show ethernet service interface [interface-id] [detail]

Displays information in the Port Data Block (PDB).

Use the following commands to verify LACP over EVC

Router# show etherchannel 15 port-channel

Displays details for port-channel 15. This command is common to EVC port-channel, switchport port-channel, and Layer 3 port-channel.

Troubleshooting

For information on troubleshooting LACP support for EVC Port Channel feature, see Table 4-6.

Configuring Layer 2 Access Control Lists (ACLs) on an EVC

ACLs (Access Control Lists) perform the following tasks:

  • Apply security and QoS at the interface, sub-interface, and service levels.
  • Filter the packets in a modular manner.

You can use a collection of sequential ACL rules to filter network traffic. Though the ACLs are applied on a network interface, you can use this feature to apply Layer 2 on different EVCs. Table 4-7 maps the supported layers with their parameters and Table 4-8 lists the commands used to activate the Layer 2 ACLs.

Table 4-7 Mapping between the ACL supported layers to the parameters

Layer
Based on

Layer 2

  • MAC source and destination

Table 4-8 ACL commands

Layer
Action
Command

Layer 2

Create a Layer 2 Access List

mac access-list extended { aclname }

Apply an Access list within the EVC

mac access-group { aclname } in

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines when you configure ACLs on a EVC:

  • A Layer 2 ACL is supported only on the ingress.
  • You can apply a single ACL to more than one EFP.
  • If a Layer 2 ACL is applied to an EFP (Ethernet Flow Point) with a Layer 2 ACL, the new ACL replaces the previous ACL.
  • A Layer 2 ACL configuration applied on the EVC interface should contain the source MAC address, destination MAC address, and the address mask.
  • You can apply a maximum of 256 unique ACLs on all the EVCs.
  • Maximum number of 16 ACEs (Access Control Elements) per ACL are supported.
  • The counters are supported per ACL per EVC.
  • Cisco IOS Release 15.1(1)S supports EVC port-channels.

Creating a Layer 2 Access Control List

SUMMARY STEPS

1. enable

2. configure terminal

3. mac access-list extended { aclname } {permit | deny} {host a.b.c host x.y.z}

4. exit

DETAILED STEPS

 

Command or Action
Purpose

Step 1

enable

 

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

mac access-list extended aclname {permit | deny} {host a.b.c host x.y.z}

 

me7600-5(config)#mac access-list extended test-l2-acl

Creates a Layer 2 Access List on the selected interface.

Step 4

exit

Exits the configuration mode.

Applying a Layer 2 Access Control List

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet type/ slot/port [subinterface-number] or interface tengigabitethernet type/ slot/port [subinterface-number]

4. [no] service instance id {Ethernet }

5. encapsulation dot1q vlan id

6. mac access- group aclname in

7. exit

DETAILED STEPS

 

Command or Action
Purpose

Step 1

enable

 

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet type/ slot/port [subinterface-number]

or

interface tengigabitethernet type/ slot/port [subinterface-number]

 

Router(config)# interface gigabitethernet 4/0/0

Specifies the gigabit ethernet or the ten gigabit ethernet interface to configure, where:

  • slot/subslot/port—Specifies the location of the interface.
  • subinterface-number—(Optional) Specifies a secondary interface (sub-interface) number.

Step 4

[no] service instance id {Ethernet [service-name

]}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance on an interface and sets the device to the config-if-srv configuration mode.

Step 5

encapsulation dot1q vlan id

 

Router(config-if-srv)# encapsulation dot1q 5

Defines the matching criteria to map ingress dot1q frames on an interface to the appropriate service instance.

Note Use the encapsulation dot1q default command to configure the default service instance on a port. Use the encapsulation dot1q untagged command to map the untagged ethernet frames on an ingress interface to a service instance.

Step 6

mac access- group aclname in

 

me7600-5(config-if-srv)# mac access-group test-l2-acl in

Applies a L2 ACL on the selected EVC.

Note L2 ACL displays only positive permit and deny counts.

Step 7

exit

Exits the configuration mode.

Examples

You can view the ACL counters for an EVC as shown in this example:

LLB-India-7#sh ethernet service instance id 1 int gig3/0/0 detail
Service Instance ID: 1
L2 ACL (inbound): l2acl <=====
Associated Interface: GigabitEthernet3/0/0
Associated EVC: test
L2protocol drop
CE-Vlans:
Interface Dot1q Tunnel Ethertype: 0x8100
State: Up
L2 ACL permit count: 0 <=====
L2 ACL deny count: 0 <=====
EFP Statistics:
Pkts In Bytes In Pkts Out Bytes Out
0 0 0 0

 

DHCP Snooping with Option-82 on EVC

DHCP snooping determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages traffic from untrusted sources.

To do this, DHCP snooping dynamically builds and maintains the DHCP snooping database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

Each entry in the DHCP snooping database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Additionally, the DHCP Snooping with Option-82 feature can centrally manage the IP address assignments for a large number of subscribers. When this feature is enabled on the router, a subscriber device is identified by the router port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router and are uniquely identified.

However, EVCs require additional information. If each EVC on an interface is mapped to a single VPN, it would be possible to use the internal VLAN to identify the path for reply packets. However, because multiple EVCs with different encapsulations can map to the same VPN, it is necessary to use the actual EVC encapsulation to distinguish between EVCs.

The DHCP Snooping with Option-82 on EVC feature allows the user to provide this additional information required for EVC-enabled interfaces. This information is inserted into the option 82 and is also stored in the binding table for retrieval by other services.

Use the ip dhcp snooping information option allow-untrusted command to enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch. DHCP option 82 data insertion is enabled by default. Accepting incoming DHCP snooping packets with option 82 information from the edge switch is disabled by default.

Use the ip dhcp relay information option subscriber-id command to configure a subscriber string for an EVC that can be inserted into the option 82 field along with other information when relaying the DHCP packets to the server. The server can parse the option 82 information to match the subscriber string and act accordingly. The subscriber string configured for an EVC will not be stored in the binding table and is only used when sending DHCP packets to the server by inserting into the option 82 field.

For additional information on DHCP Snooping and Option-82 on the Cisco 7600 router, see Configuring DHCP Snooping at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/snoodhcp.html .

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines while you configure DHCP Snooping with Option-82:

  • An EVC with multiple encapsulations is not supported.
  • The following EVCs are supported on the same interface and bridge-domain:

dot1q encapsulation

QinQ encapsulation

Untagged encapsulation

  • 4000 EVCs are supported per port.
  • 32000 EVCs are supported per router.
  • Multiple EVCs are supported on the same port, all having the same or different bridge domains.
  • Multiple EVCs are supported on different ports, all having the same or different bridge domains.
  • With Cisco IOS Release 12.2(33)SRE, DHCP snooping with Option 82 is supported on EVC port-channels.
  • DHCP snooping is not supported with lag NNI VPLS core.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface port-channel number

4. [no] ip address

5. negotiation { forced | auto }

6. service instance id Ethernet [service-name]

7. encapsulation dot1q vlan-id

8. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

9. ip dhcp relay information option subscriber-id value

10. [no] bridge-domain bridge-id

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port[.subinterface-number]

or

interface tengigabitethernet slot/subslot/port[.subinterface-number]

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the gigabit ethernet or the ten gigabit ethernet or the port-channel interface to configure.

Step 4

no ip address

 

Router# Router(config-if)# no ip address

Removes an IP address or disables IP processing.

Step 5

negotiation {forced | auto}

 

Router(config-if)# negotiation auto

Enable advertisement of speed, duplex mode, and flow control on a gigabit ethernet interface.

Step 6

[no] service instance id Ethernet [service-name}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 7

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 8

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric

Specifies the tag manipulation to be performed on the frame ingress to the service instance.

Step 9

ip dhcp relay information option subscriber-id value

 
Router(config)# ip dhcp relay information option subscriber-id 123

Configures a subscriber string that uniquely identifies the interface from where the DHCP packets originate.

Step 10

[no] bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Example

This example shows a typical configuration on the relay agent and the server. This is a configuration on the relay agent:

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet8/1
Router(config-if)# no ip address
Router(config-if)# negotiation auto
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
ip dhcp relay information option subscriber-id 11
Router(config-if-srv)# bridge-domain 100
 
Router(config)# interface Vlan100
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# ip helper-address global 20.0.0.2
Router(config-if)# ip helper-address 20.0.0.2
 
 
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# ip dhcp snooping packets
Router(config-if)# ip address 20.0.0.1 255.255.255.0
Router(config-if)# negotiation auto
!

This is the configuration on the server:

:
Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# ip address 20.0.0.2 255.255.255.0
Router(config-if)# negotiation auto
Router(config-if)# end
 
Router(config)# ip dhcp pool pool1
Router(dhcp-config)# network 10.0.0.0 255.255.0.0
lease 2
Router(dhcp-config)# update arp
class C1
address range 10.0.0.2 10.0.0.10
class C2
address range 10.0.0.11 10.0.0.20
!
Router(config)# ip dhcp pool pool2
Router(config)# network 11.0.0.0 255.255.0.0 lease 2
!
Router(config)# ip dhcp pool pool3
vrf vrf1
Router(config)# network 10.0.0.0 255.255.255.0 lease 0 0 2
!
!
ip dhcp class C1 <-----------Class C1 maps to the subcriber-id string aabb11.
relay agent information
relay-information hex 00000000000000000000000000000006616162623131 mask fffffffffffffffffffffffffffffff0000000000000
!
ip dhcp class C2
relay agent information
relay-information hex 00000000000000000000000000000006313162626161 mask fffffffffffffffffffffffffffffff0000000000000
 
******************************************************************************************

Verification

Use this commands to verify operation.

 

Command
Purpose

Router# show ip dhcp snooping

Displays all VLANs (both primary and secondary) that have DHCP snooping enabled.

Router# show ip dhcp snooping binding

Checks the DHCP snooping database.

Troubleshooting

Table 4-9 provides the troubleshooting solutions for the DHCP Snooping feature.

 

Table 4-9 Troubleshooting Scenarios for DHCP Snooping feature

Problem
Solution

DHCP snooping database is not storing any bindings

Complete the following steps to verify and troubleshoot:

1. Use the show ip dhcp snooping binding command to check whether there are non-zero bindings built on the binding table.

2. The show ip dhcp snooping binding command displays the total number of bindings as a non-zero value. If not, check whether the DHCP snooping database agent is configured correctly. If no bindings exist, it implies that they were never built or the lease expired. Reconfigure the bindings with a longer lease period. If the lease time is configured as maximum (4294967295 seconds effective from 12.2(33) SRD ), the bindings do not expire.

3. Use the ip dhcp snooping database command to check if the DHCP snooping database agent is configured correctly and is currently running.

Bindings are not getting stored in the database agent

Read the database agent file to check if bindings are stored in that file. If not, go to Step 3 of the previous solution. If there is at least one binding stored in the database file , it implies that the database agent is working fine.

DHCP snooping is not active on the router

DHCP snooping is active on the router only when it is configured globally and on at least one interface VLAN. Check if the ip dhcp snooping command exists in the running and global configuration modes, and at least on one VLAN interface. If not, configure the feature as described in Configuring Layer 2 Access Control Lists (ACLs) on an EVC.

If the configurations exist, use the debug ip dhcp snooping packets command to check whether or not DHCP packets are being exchanged between the DHCP server and the client. If yes, proceed to Step 3 listed in the solution for “ DHCP snooping database is not storing any bindings” problem. If not, check the configurations for the DHCP server and client and whether all the connections to the DHCP relay agent are fine. If the problem persists, contact TAC.

DHCP Snooping Over p-mLACP

The Dynamic Host Configuration Protocol (DHCP) snooping over a pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) feature synchronizes the DHCP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the DHCP database allows the multicast traffic to flow with the least interruption when the p-mLACP fails. This feature uses the Interchassis Communication Protocol (ICCP) to synchronize the DHCP snooping database with the peer PoAs to provide multi-chassis redundancy. When the multi-chassis Link Aggregation (mLAG) transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network. A system configured with DHCP snooping creates a DHCP snooping database, which contains DHCP snooping entries (MAC/IP bindings) learnt from the different VLANs.

The DHCP snooping binding data is added in the active supervisor after successfully synchronizing the snooping information between the local standby and remote PoAs (active and standby supervisor PoA).


Note For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600 section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.


DHCP Snooping State Synchronization

The DHCP snooping state synchronization involves these steps:

0. The active PoA synchronizes the DHCP snooping binding tables with the standby PoA.

1. The standby PoA uses the synchronized DHCP binding information for IP source guard (IPSG) and Dynamic ARP Inspection (DAI).

2. On switchover, the standby EFP becomes active and any spoofed ARP, MAC or IP traffic is dropped by the new Active PoA.

Restrictions for DHCP Snooping over p-mLACP

Following restrictions apply for the DHCP Snooping over p-mLACP feature:

  • The manual load-balance VLAN list and LAG configuration should be same on both the PoAs.
  • The bridge-domain configured under a p-mLACP port-channel EVC should not be part of any other non-pmLACP interfaces.
  • For proper DHCP snooping database synchronization, ensure that the ICRM link is up.
  • All the PoAs should be configured as p-mLACP peers to enable DHCP snooping database synchronization.
  • It is recomended that all the PoAs should be configured for non-revertive mode.
  • During the mLACP failures A, B, C, and E, the database entries are not lost. In case of p-mLACP failure D, the database entries are lost but they are restored after synchronization with the peer PoA through the ICRM link.
  • The maximum number of DHCP Snooping entries supported per PoA is 20000; 10000 entries on the active VLAN on the active PoA and 10000 entries synchronized from another PoA through the ICCP link.
  • This feature is supported on the ES20 and ES+ line cards in the access mode only.
  • This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
  • For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs) participating in a bridge-domain should have the outer tag VLAN range set to either primary or secondary VLANs, but not both.
  • If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
  • While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
  • IP FRR functionality is not supported with p-mLACP.

Note All the p-mLACP restrictions also apply to this feature.


Table 4-10 lists the scalability numbers for DHCP Snooping state synchronization:

Table 4-10 Scalability Numbers for p-mLACP DHCP Snooping State Synchronization

 

Feature
Per PoA

DHCP snooping entries

20000

Troubleshooting Tips

Table 4-11 lists the commands to troubleshoot the p-mLACP DHCP Snooping State Synchronization.

Table 4-11 Troubleshooting Scenarios

 

Command
Use

debug ip dhcp snooping event

Use this command to enable the debugging of the events involved in DHCP snooping.

debug ip dhcp snooping packet

Use this command to display the debugging messages for DHCP snooping.

show ip dhcp snooping multi-chassis

Use this command to display status of bulk synchronization.

Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization

The pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) Internet Group Management Protocol (IGMP) Snooping State Synchronization feature synchronizes the IGMP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the IGMP database allows the multicast traffic to flow with the least interruption when an mLACP fails. The p-mLACP IGMP snooping function uses the Interchassis Communication Protocol (ICCP) to synchronize the IGMP snooping database with the peer PoAs. When the mLAG transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network.


Note For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600 section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.


IGMP Snooping State Synchronization

The p-mLACP IGMP Snooping state synchronization involves these steps:

  • POA creates snooping entries for its active VLANs based IGMP reports and the snooping entries are synchronized to the peer POA using ICCP, where this information corresponds to the standby VLANs on peer POA.
  • The peer POA processes the ICCP messages received from the other POA, and pre-programs the multicast forwarding table based on the received IGMP information.
  • When p-mLACP fails (A, B, C, D, E) on one of the POA, the peer POA moves its standby VLANs to active and triggers IGMP reports towards the Designated Router/mrouter based on the IGMP information received via ICCP for these VLANs.
  • Next, the peer POA starts forwarding multicast data traffic based on pre-programmed multicast forwarding table without any delay, enabling fast convergence.

Figure 4-4 shows the basic p-mLACP IGMP Snooping State Synchronization process.

Figure 4-4 IGMP Snooping State Synchronization

 

Restrictions for p-mLACP IGMP Snooping State Synchronization

Following restrictions apply for the p-mLACP IGMP Snooping State Synchronization feature:

  • The maximum rate supported is 1000 IGMP joins per second.
  • The maximum number of IGMP Snooping entries supported per PoA is 10000.
  • IGMP version 2 is supported. IGMP version 3 is not supported.
  • This feature is supported on the ES20 and ES+ line cards in the access mode only.
  • This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
  • For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs) participating in a bridge-domain should have the outer tag VLAN range set to either primary or secondary VLANs, but not both.
  • If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
  • While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
  • IP FRR functionality is not supported with p-mLACP.
  • IGMP Snooping is not supported with Hierarchical Virtual Private LAN Service (H-VPLS) and MAC Tunneling Protocol (MTP) scenarios and topologies.

Table 4-12 lists the scalability numbers for IGMP snooping state synchronization.

Table 4-12 Scalability Numbers for p-mLACP IGMP Snooping State Synchronization

 

Feature
Per PoA
Desirable per PoA
Per RG

p-mLACP IGMP snooping state synchronization

10K

20K

10K


Note All p-mLACP restrictions also apply to IGMP Snooping over p-mLACP feature.


Troubleshooting Tips

Table 4-13 lists the troubleshooting solutions for the p-mLACP IGMP Snooping State Sync implementation.

Table 4-13 Troubleshooting Scenarios

Problem
Solution

IGMP snooping database is empty on the PoA.

Complete these steps to verify and troubleshoot:

1. Use the show mac-address-table multicast igmp-snooping command to check for incomplete snooping entries. If the entries are incomplete, see the problem definition and solution explained in the next row

2. If the output from the show mac-address-table multicast igmp-snooping command is empty, check if the IGMP snooping is enabled on the router. Enable the IGMP snooping, if disabled.

IGMP Snooping database shows incomplete snooping entries

If incomplete entries are displayed in the show mac-address-table multicast igmp-snooping command output, complete these steps:

1. Check whether the incomplete entries are specific to the active VLANs or the standby VLANs.

2. If the incomplete entries correspond to an active VLAN, verify the configuration.

3. If the incomplete entries correspond to a standby VLAN, check the corresponding VC states using the show mpls l2transport vc command. VC state should be in UP/STANDBY state, not in the DOWN state.

4. Use the show ip ig snooping mrouter command output to verify if the mrouter port is configured properly for the affected VLAN.

IP Source Guard for Service Instance

An IP source guard filters a source IP address on a layer 2 port and prevents malicious hosts from impersonating a legitimate host. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports.

Initially, all IP traffic on the service instance is blocked except for DHCP packets that are captured by DHCP snooping. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, the IP source guard for service instance feature automatically creates an access control list (ACL) to permit that traffic. Traffic from other hosts is denied. This filtering limits the ability of a host to attack the network by claiming the IP address of a neighbor host.

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines while configuring IP source guard for a service instance:

  • The number of ACLs and ACEs that can be configured as part of IP source guard are bounded by the hardware resources on the line card.
  • The IP source guard is meant to verify host source IP and MAC information. Only ingress traffic is filtered. It is not applicable to egress direction.
  • The IP source guard is not effective for software forwarded packets. When a non-recoverable TCAM exception occurs for the IP source guard, the IP filtering is not effective and packets are permitted.
  • The IP source guard is not supported on subinterfaces.
  • The IP source guard is supported only on ES+ line cards.
  • IP source guard is supported on port-channel service instances effective from Cisco IOS release 15.1(2)S.

Configuring IP Source Guard for a Service Instance

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

or

interface port-channel number

4. [no] ip address

5. service instance id ethernet [service-name]

6. encapsulation dot1q vlan-id

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric


Note To distinguish if the packet is DHCP, all tags must be pop; push and translate are not supported with the IP source guard for service instance feature.


8. ip verify source vlan dhcp-snooping [port-security]

9. [no] bridge-domain bridge-id

10. exit

11. end

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode. If prompted, enter your password.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the interface to configure.

  • slot/port - Specifies the location of the interface.
  • number - Specifies the port channel interface.

Step 4

[no] ip address

 

Router(config-if)# no ip address

Removes an IP address or disable IP processing.

Step 5

[no] service instance id ethernet [service-name}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 6

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 7

rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Note In order for the router to distinguish if the packet is DHCP, all tags must be in pop state ; push and translate states are not supported.

Step 8

ip verify source vlan dhcp-snooping [port-security]

 
Router(config-if-srv)# ip verify source vlan dhcp-snooping

Enables the IP source guard states. Use these commands :

  • vlan dhcp-snooping enables IP mode and applies the feature to only specific VLANs on the interface. The dhcp-snooping option applies the feature to all VLANs on the interface that have DHCP snooping enabled.
  • port-security enables IP/MAC mode and applies both IP and MAC filtering.

Step 9

[no] bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 10

exit

 
Router(config-if)# exit

Returns to global configuration mode.

Step 11

end

 
Router(config)# end
 

Exits configuration mode.

Example

This example shows how to configure IP source guard for a service instance with single tag (Dot1q) encapsulation.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation dot1q 71
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
 

This is example shows how to configure IP source guard for a service instance with double tag (QinQ) encapsulation.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation dot1q 71 second-dot1q 100
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
 

This example shows how to configure IP source guard for a service instance with untagged encapsulation.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation untagged
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
 

This example shows how to configure IP source guard for a service instance with default encapsulation.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation default
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
 

This example shows how to configure IP source guard for a service instance with single tag encapsulation on a port-channel interface.

Router# enable
Router# configure terminal
Router(config)# interface port-channel 2
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# ip verify source vlan dhcp-snooping

Router(config-if-srv)# bridge-domain 10

Verification

Use the show ip verify source interface to verify the configuration:

router# show ip verify source interface gi5/1 efp_id 10
Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP ID
--------- ----------- ----------- --------------- ----------------- ---------- ----------
Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10
 
router# show ip verify source interface gi5/1
Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP ID
--------- ----------- ----------- --------------- ----------------- ---------- ----------
Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10
Gi5/1 ip-mac active 123.1.1.2 00:0A:00:0A:00:0B 100 20
Gi5/1 ip-mac active 123.1.1.3 00:0A:00:0A:00:0C 100 30
 

Troubleshooting

Table 4-14 provides troubleshooting solutions for the IP source guard feature.

Table 4-14 Troubleshooting Scenarios for IP Source Guard feature

Problem
Solution

EVC disabled in IP source guard

Use the [no] ip verify source vlan dhcp-snooping port-security command in the service instance configuration mode to verify the IP source guard information. port-security is an optional keyword to indicate that the source MAC address filter should be applied with the source IP address. Share the output with TAC to troubleshoot further.

DHCP snooping failures

1. Verify whether or not the issues are specific to DHCP snooping or IP source guard. Use the show ip dhcp snooping binding command to check the DHCP snooping bindings on the RP. If the expected entry is missing on the RP, debug the DHCP snooping sessions and share the output with TAC.

2. If the entry is displayed on the route processor, but not on the line card, use the dhcp snooping ipc debug command on the RP to debug failures related to DHCP snooping entries. If the issue persists, contact TAC.

Configuring MST on EVC Bridge Domain

The Multiple Spanning Tree (MST) on EVC Bridge Domain feature enables MST on EVC interfaces. It complements the H-VPLS N-PE Redundancy for QinQ and MPLS Access feature released in Cisco IOS Release 12.2(33)SRC. For more information on this feature, see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html .

This section describes how to configure MST on EVC Bridge Domain. It contains these topics:

Overview of MST and STP

Spanning Tree Protocol (STP) is a Layer 2 link-management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.

Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis.

MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).

For routers to participate in MST instances, you must consistently configure the routers with the same MST configuration information. A collection of interconnected routers that have the same MST configuration comprises an MST region. For two or more routers to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same MST name.

The MST configuration controls the MST region to which each router belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map.

A region can have one or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree instance at a time.

For additional information on STP and MST on the Cisco 7600 series routers, see Configuring STP and MST at:

http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html

Overview of MST on EVC Bridge Domain

The MST on EVC Bridge-Domain feature uses VLAN IDs for service-instance-to-MST-instance mapping. EVC service instances with the same VLAN ID (the outer VLAN IDs in the QinQ case) as the one in another MST instance will be mapped to that MST instance.

EVC service instances can have encapsulations with a single tag as well as double tags. In case of double tag encapsulations, the outer VLAN ID shall be used for the MST instance mapping, and the inner VLAN ID is ignored.

A single VLAN per EVC is needed for the mapping with the MST instance. The following service instances without any VLAN ID or with multiple outer VLAN IDs are not supported:

  • Untagged (encapsulation untagged)
  • Priority-tagged (encapsulation priority-tagged)
  • Default (encapsulation default)
  • Multiple outer tags (encapsulation dot1q 200 to 400 second-dot1q 300)

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines while configuring MST on EVC bridge domain:

  • Cisco IOS Release 15.1(1)S supports EVC port-channels.
  • Main interface where the EFP is configured must be up and running with MSTP as the selected Spanning Tree Mode (PVST and Rapid-PVST are not supported).
  • The SPT PortFast feature is not supported with EFPs.
  • The co-existence of REP and mLACP with MST on the same port is not supported.
  • Any action performed on VPORT (which represents a particular VLAN in a physical port) affects the bridge domain and other services.
  • This feature cannot co-exist with Ethernet Bridging on FR/ATM that support only PVST.
  • Supports 64 MSTs and one CIST (common and internal spanning tree).
  • Supports one MST region.
  • Scales to 32000 EFP.
  • Service instances without any VLAN ID in the encapsulation are not supported, because a unique VLAN ID is required to map an EVC to an MST instance.
  • Supports EFPs with unambigous outer VLAN tag (that is, no range, list on outer VLAN, neither default nor untagged).
  • ES20 and ES+ line cards support this feature.
  • Removing dot1q encapsulation removes the EVC from MST.
  • Changing the VLAN (outer encapsulation VLAN of EVC) mapping to a different MST instance will move the EVC port to the new MST instance.
  • Changing an EVC service instance to a VLAN that has not been defined in MST 1 will result in mapping of EVC port to MST 0.
  • The peer router of the EVC port must also be running MST.
  • MST is supported only on EVC BD. EVCs without BD configuration will not participate in MST
  • When an MST is configured on the outer VLAN, you can configure any number of service instances with the same outer VLAN as shown in the following configuration example.
nPE1#sh run int gi12/5
Building configuration...
 
Current configuration : 373 bytes
!
interface GigabitEthernet12/5
description connected to CE1
no ip address
service instance 100 ethernet
encapsulation dot1q 100 second-dot1q 1
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 100 second-dot1q 2
bridge-domain 101
!
service instance 102 ethernet
encapsulation dot1q 100 second-dot1q 120-140
bridge-domain 102
!
end
 
 
nPE1#sh run int gi12/6
Building configuration...
 
Current configuration : 373 bytes
!
interface GigabitEthernet12/6
description connected to CE1
no ip address
service instance 100 ethernet
encapsulation dot1q 100 second-dot1q 1
bridge-domain 100
!
service instance 101 ethernet
encapsulation dot1q 100 second-dot1q 2
bridge-domain 101
!
service instance 102 ethernet
encapsulation dot1q 100 second-dot1q 120-140
bridge-domain 102
!
end
 
nPE1#sh span vlan 100
 
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 0018.742f.3b80
Cost 0
Port 2821 (GigabitEthernet12/5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 001a.303c.3400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi12/5 Root FWD 20000 128.2821 P2p
Gi12/6 Altn BLK 20000 128.2822 P2p
 
nPE1#
 

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. [no] bridge-domain bridge-id

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the gigabit ethernet or the ten gigabit ethernet interface to configure.

  • slot/port—Specifies the location of the interface.

Step 4

[no] service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (EVC instance) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

[no] bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Examples

In the following example, two interfaces participate in MST instance 0, the default instance to which all VLANs are mapped:

Router# enable
Router# configure terminal
Router(config)# interface g4/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# interface g4/3
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# end
 

Verification

Use this command to verify the configuration:

Router# show spanning-tree vlan 2
 
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 0009.e91a.bc40
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 0009.e91a.bc40
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/1 Desg FWD 20000 128.1537 P2p
Gi4/3 Back BLK 20000 128.1540 P2p
 

 

In this example, interface gi4/1 and interface gi4/3 are connected back-to-back. Each has a service instance (EFP) attached to it. The EFP on both interfaces has an encapsulation VLAN ID of 2. Changing the VLAN ID from 2 to 8 in the encapsulation directive for the EFP on interface gi4/1 stops the MSTP from running in the MST instance to which the old VLAN is mapped and starts the MSTP in the MST instance to which the new VLAN is mapped:

Router(config-if)# interface g4/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encap dot1q 8
Router(config-if-srv)# end
 

Use this command to verify the configuration:

Router# show spanning-tree vlan 2
 
MST1
Spanning tree enabled protocol mstp
Root ID Priority 32769
Address 0009.e91a.bc40
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0009.e91a.bc40
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/3 Desg FWD 20000 128.1540 P2p
 
Router# show spanning-tree vlan 8
 
MST2
Spanning tree enabled protocol mstp
Root ID Priority 32770
Address 0009.e91a.bc40
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0009.e91a.bc40
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/1 Desg FWD 20000 128.1537 P2p
 

In this example, interface gi4/3 (with an EFP that has an outer encapsulation VLAN ID of 2 and a bridge domain of 100) receives a new service:

Router# enable
Router# configure terminal
Router(config)# interface g4/3
Router((config-if)# service instance 2 ethernet
Router((config-if-srv)# encap dot1q 2 second-dot1q 100
Router((config-if-srv)# bridge-domain 200
 

Now there are two EFPs configured on interface gi4/3 and both of them have the same outer VLAN 2.

interface GigabitEthernet4/3
no ip address
service instance 1 ethernet
encapsulation dot1q 2
bridge-domain 100
!
service instance 2 ethernet
encapsulation dot1q 2 second-dot1q 100
bridge-domain 200
 

The preceding configuration does not affect the MSTP operation on the interface; there is no state change for interface gi4/3 in the MST instance it belongs to.

Router# show spanning-tree mst 1
 
##### MST1 vlans mapped: 2
Bridge address 0009.e91a.bc40 priority 32769 (32768 sysid 1)
Root this switch for MST1
 
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi4/3 Desg FWD 20000 128.1540 P2p

 

This example shows MST on port channels:

Router# show spanning-tree mst 1
##### MST1 vlans mapped: 3
Bridge address 000a.f331.8e80 priority 32769 (32768 sysid 1)
Root address 0001.6441.68c0 priority 32769 (32768 sysid 1)
port Po5 cost 20000 rem hops 18
 
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p
 
Router# show spanning-tree vlan 3
 
MST1
Spanning tree enabled protocol mstp
Root ID Priority 32769
Address 0001.6441.68c0
Cost 20000
Port 3329 (Port-channel5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.f331.8e80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p

Troubleshooting

Table 4-15 provides troubleshooting solutions for the MST on EVC Bridge Domain feature.

Table 4-15 Troubleshooting Scenarios

Problem
Solution

Multiple Spanning Tree Protocol (MSTP) incorrectly or inconsistently formed due to misconfiguration and BPDU loss

To avoid BPDU loss, re-configure these on the following nodes:

• Configuration name

• Bridge revision

• Provider-bridge mode

• Instance to VLAN mapping

Determine if node A is sending BPDUs to node B. Use the show spanning-tree mst interface gi1/1 service instance command for each interface connecting the nodes. Only designated ports relay periodic BPDUs.

MSTP correctly formed, but traffic flooding occurs

Intermittent BPDU loss occurs when the spanning tree appears incorrectly in the show commands, but relays topology change notifications. These notifications cause a MAC flush, forcing traffic to flood until the MAC addresses are re-learned. Use the debug spanning-tree mst packet full {received | sent} command to debug topology change notifications.

Use the debug spanning-tree mst packet brief {received | sent} command on both nodes to check for missing BPDUs. Monitor the timestamps. A time gap greater than or equal to six seconds causes topology change.

MSTP shows incorrect port state

When the spanning tree protocol (STP) attempts to change the port state, it uses L2VPN. Check the value of the sent update. If the value is Yes, then STP is awaiting an update from L2VPN.

Packet forwarding does not match the MSTP state

Complete the following steps to verify and troubleshoot:

1. Shut down redundant links, remove MSTP configuration, and ensure that basic bridging works.

2. Check the state of each port as calculated by MSTP, and compare it with the packet counts transmitted and received on ports and EFPs controlled by MSTP. Normal data packets should be sent/received only on ports in the forwarding (FWD) state. BPDUs should be sent/received on all ports controlled by MSTP.

3. Ensure that BPDUs are flowing and that root bridge selection is correct and check the related scenarios.

4. Use the show l2vpn bridge-domain detail command to confirm the status of the members of the bridge domain. Ensure that the relevant bridge domain members are active.

5. Check the forwarding state as programmed in hardware.

Configuring Link State Tracking (LST)

When a link failure occurs on a REP and MST segment, the associated protocols handle the link failure event. However, if the primary link to the switch is enabled even though the corresponding uplink ports on the switch are disabled, the REP and MST protocol is unaware of backbone side, and does not trigger a failover. The router continues to receive the traffic from the access side and then drops it discreetly due to lack of backbone connectivity. Link state tracking provides a solution to this problem by allowing the uplink interfaces to bind the link status to the down link ports. Uplink state tracking is configured such that when a set of uplink ports are disabled, other ports linked through CLI commands are disabled as well. The state of all the downlink interfaces are error-disabled only when all the upstream interfaces are disabled.

The LST triggers REP/MST re-convergence on the access side depending on the state of the core-facing interface. The link state of the core facing interface and the access facing interface are bound by link state tracking group.

LST facilitates:

Enabling and disabling of link state group tracking.

Removal of downstream interfaces from a link state group.

Performing shut/no shut on error disabled interface.

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines when you configure the LST:

  • Ensure that the management interfaces are not part of a link state group.
  • REP port cannot be configured as uplink port.
  • LST does not allow any interface, upstream or downstream, to be part of more than one link state group.
  • You can configure a maximum of 10 link state groups.
  • When you configure LST for the first time, you must add upstream interfaces to the link state group before adding downstream, otherwise the state of the downlink interfaces are error-disabled.
  • The configurable interfaces are physical (both routed and switch port), port-channel, sub-interface and VLAN.
  • Upstream interfaces are required to be among:

L3 interface(physical or portchannel)

SVI

  • Downstream interfaces are required to be among:

L2 interface

L2 Port-channel

EVC

Configuring Link State Tracking

Perform the following tasks to configure a LST.

SUMMARY STEPS

1. enable

2. configure terminal

3. link state track number

4. interface slot/port

5. link state group [number] {upstream | downstream}

6. end

DETAILED STEPS

 

Command or Action
Purpose

Step 1

enable

 

Example:

Router> enable

Enables privileged EXEC mode.

Step 2

configure terminal

 

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

link state track number

 

Example:

Router(config)# link state track 1

Creates a link-state group, and enables LST. The acceptable range is 1-10; the default value is 1.

Step 4

interface slot/port

 

Example:

Router(config)# interface gigabitethernet 2/1

 

Configures an interface.

Step 5

link state group [number] {upstream | downstream}

 

Example:

Router(config-if)# link state group 1 upstream

Specifies a link-state group and configures the interface as either an upstream or downstream interface in the group.The group number can be 1 to 10; the default value is 1.

Step 6

end

 

Example:

Router(config-if)# end

Exits the CLI to privileged EXEC mode.

This example shows how to create a link-state group and configure the interfaces:

Router# configure terminal
Router(config)# link state track 1
Router(config)# interface gigabitethernet3/1
Router(config-if)# link state group 1 upstream
Router(config-if)# interface gigabitethernet3/3
Router(config-if)# link state group 1 upstream
Router(config-if)# interface gigabitethernet3/5
Router(config-if)# link state group 1 downstream
Router(config-if)# interface gigabitethernet3/7
Router(config-if)# link state group 1 downstream
Router(config-if)# end

Verification

Use the show link state group command to display the link-state group information.

Router> show link state group 1
Link State Group: 1 Status: Enabled, Down
 

Use the show link state group detail command to display detailed information about the group.

 
Router> show link state group detail
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
Link State Group: 1 Status: Enabled, Down
Upstream Interfaces : Gi3/5(Dwn) Gi3/6(Dwn)
Downstream Interfaces : Gi3/1(Dis) Gi3/2(Dis) Gi3/3(Dis) Gi3/4(Dis)
Link State Group: 2 Status: Enabled, Down
Upstream Interfaces : Gi3/15(Dwn) Gi3/16(Dwn) Gi3/17(Dwn)
Downstream Interfaces : Gi3/11(Dis) Gi3/12(Dis) Gi3/13(Dis) Gi3/14(Dis)
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
 

Troubleshooting the Link State Tracking

Table 4-16 lists the troubleshooting issues while configuring LST:

Table 4-16 Troubleshooting LST Issues

Problem
Solution

The downstream interface is in error-disabled state even though the upstream interfaces are up.

Use the show interfaces <interface> status err-disabled command to check why the interface is in such state.

Use the show errdisable recovery command to view information about the error-disable recovery timer.

MAC Address Security for EVC Bridge Domain

Cisco 7600 series routers currently support port security on a per-port basis. For more information, see Configuring Port Security at:

http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/port_sec.html

The Media Access Control (MAC) Address Security for EVC Bridge Domain feature addresses port security with EVCs by providing the capability to control and filter MAC address learning behavior at the granularity of a per-EFP basis. For instance, when a violation requires a shutdown, only the customer assigned to a given EFP is affected rather than all customers using the port.

Port Security and the MAC Address Security for EVC Bridge Domain feature operate independently of each other.

Cisco IOS Release 12.2(33)SRE adds support for MAC address security on EVC port-channels.This feature operates on a port-channel interface in a similar manner to how it works on a physical port. In each case, MAC security is configured on a service instance associated with a bridge domain.

This section covers the following topics: This section contains the following topics:

Restrictions and Usage Guidelines

When configuring MAC Address Security for EVC Bridge Domain, follow these restrictions and usage guidelines:

  • System wide, the following limits apply to the total configured whitelist and learned MAC addresses:

Total number of MAC addresses supported under MAC Security is limited to 32K.

Total number of MAC addresses supported under MAC Security, per bridge domain, is limited to 10K.

Total number of MAC addresses supported under MAC Security, per EFP, is limited to 1K.

  • You can configure or remove the various MAC security elements irrespective of whether MAC security is enabled on the EFP. However, these configurations will become operational only after MAC security is enabled.
  • Upon enabling the MAC Address Security for EVC Bridge Domain feature, existing MAC address table entries on the EFP are removed.
  • The MAC Address Security for EVC Bridge Domain feature can be configured on an EFP only if the EFP is a member of a bridge domain.
  • If you disassociate the EFP from the BD, the MAC security feature is completely removed.
  • For port-channel, this configuration is propagated to all member links in the port-channel. Consistent with the already implemented bridge domain EVC port-channel functionality, packets on a secured EFP are received on any member link, but all the egress packets are sent out to one of the selected member links.
  • MAC security is not supported on MTP and C-MAC bridge domain.

Enabling MAC Address Security for EVC Bridge Domain

This section describes how to enable MAC address security for EVC bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security or no mac security

 

Router(config-if-srv)# mac security or
Router(config-if-srv)# no mac security

Enables or disables the MAC Security on the EFP.

Examples

This example shows how to enable MAC address security for EVC bridge domain.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security
 

This example shows how to disable MAC address security for EVC bridge domain.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# no mac security
 

Disabling MAC Address Security for EVC Bridge Domain on an EFP

This section describes how to disable MAC address security for EVC bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. no mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

no mac security

 

Router(config-if-srv)# no mac security

Disables MAC Security on the EFP.

Examples

This example shows how to disable MAC address security for EVC bridge domain.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# no mac security

Configuring MAC Address Whitelist on an EFP

MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.

This section describes how to configure sticky MAC addresses on an EFP.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security sticky

8. mac security

9. no mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security address permit mac address

 

Router(config-if-srv)# mac security address permit 0000.1111.2222

Adds the specified MAC Address as a whitelist ("permit") MAC Address for the EFP.

Step 8

mac security

 

Router(config-if-srv)# mac security

Enables MAC Security on the EFP.

Examples

This example shows how to configure whitelisted MAC addresses on an EFP that is a member of a bridge domain.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security address permit 0000.1111.2222
Router(config-if-srv)# mac security

Configuring Sticky MAC Addresses on an EFP

MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.

This section describes how to configure sticky MAC addresses on an EFP.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security sticky

8. mac security

9. no mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames (double tagged) on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security sticky

 

Router(config-if-srv)# mac security sticky

Enables Sticky feature causing all dynamic secure MAC addresses to become sticky MAC addresses. Any new MAC address learnt becomes sticky.

Note To retain the sticky MAC addresses across reloads, ensure that you save the running configuration to the start up configuration.

Step 8

mac security

 

Router(config-if-srv)# mac security

Enables MAC Security on the EFP.

Step 9

no mac security

 

Router(config-if-srv)# no mac security

Disables the MAC Security on the EFP.

Examples

This example configures sticky MAC addresses on an EFP.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security sticky
Router(config-if-srv)# mac security
 

Configuring Secure MAC Address Aging on an EFP

This section shows how to configure aging of secured MAC addresses under MAC Security. Secured MAC addresses are not subject to the normal aging of MAC table entries in the system.By default, secure MAC addresses do not age out.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id double tagged

6. bridge-domain bridge-id

7. mac security aging time m [inactivity]

8. mac security aging static

9. mac security aging sticky

10. mac security

11. no mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q double-tagged frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security aging time m [inactivity]

 

Router(config-if-srv)# mac security aging time 200

Sets the aging time for secure addresses (range is 0-1440). The optional inactivity keyword specifies that the address aging is due to inactivity of the sending hosts (as opposed to absolute aging).

Step 8

mac security aging static

 

Router(config-if-srv)# mac security static

Applies aging controls to statically configured addresses.

Step 9

mac security aging sticky

 

Router(config-if-srv)# mac security stickly

Applies aging controls to sticky addresses.

Step 10

mac security

 

Router(config-if-srv)# mac security

Enables MAC Security on the EFP. A sticky MAC address on the MAC table is shown as static addressess.

Step 11

no mac security

 

Router(config-if-srv)# no mac security

Disables the MAC Security on the EFP.

Examples

This example shows how to configure the aging time for secure addresses to 10 minutes.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security aging time 10
Router(config-if-srv)# mac security
 

This example shows a configuration where the aging out of addresses is based on inactivity of the sending hosts. An address will age out if it is not seen for 10 minutes.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security aging time 10 inactivity
Router(config-if-srv)# mac security
 

The mac security aging time command only ages out secure addresses that are learned. To enable aging out of whitelist or sticky addresses when the mac security aging time command is configured, use the mac security aging static command (applies aging controls to statically configured addresses) or the mac security aging sticky command (applies aging controls to persistent, that is, sticky, addresses). The configuration below shows an example of applying aging to a sticky address.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security
Router(config-if-srv)# mac security sticky
Router(config-if-srv)# mac security aging time 100

Configuring MAC Address Limiting on EFP

This section describes how to configure an upper limit for the number of secured MAC addresses allowed on an EFP. This includes addresses added as part of a whitelist, as well as dynamically learned MAC addresses. If the upper limit is decreased, one or more learned MAC entries may be removed. The default limit is 1.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id double tagged

6. bridge-domain bridge-id

7. mac security maximum addresses n

8. mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge-domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security maximum addresses n

 

Router(config-if-srv)# mac security maximum addresses 10

Sets (or changes) the maximum number of secure addresses permitted on the EFP to the integer value n. The acceptable range secure addresses is 1-1024.

Step 8

mac security

 

Router(config-if-srv)# mac security

Enables MAC Security on the EFP.

Examples

This example configures an upper limit of 10 for the number of secured MAC addresses allowed on an EFP.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security maximum addresses 10
Router(config-if-srv)# mac security
 

Configuring MAC Address Limiting on a Bridge Domain

This section describes how to configure an upper limit for the number of secured MAC addresses located on the bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. bridge-domain vlan-id [access | dot1q [tag] | dot1q-tunnel] [broadcast] [ignore-bpdu-pid] [pvst-tlv CE-vlan] [increment] [lan-fcs] [split-horizon]

4. mac limit maximum addresses [n]

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

bridge-domain vlan-id [access | dot1q [tag] | dot1q-tunnel] [broadcast] [ignore-bpdu-pid] [pvst-tlv CE-vlan] [increment] [lan-fcs] [split-horizon]

 

Router(config)# bridge-domain 12

Specifies the bridge domain.

Step 4

mac limit maximum addresses [n]

 

Router(config-bdomain)# mac limit maximum addresses 1000

Sets the limit for maximum addresses. The default value is 10240.

Examples

This example configures an upper limit of 1000 for the number of secured MAC addresses.

Router# enable
Router# configure terminal
Router(config)# bridge-domain 100

Router(config-if-srv)# mac limit maximum address 1000

Configuring Violation Response on an EFP

This section describes how to specify the expected behavior of the device when an attempt to dynamically learn a MAC address fails because of a violation of the configured MAC Security policy on the EFP. The default violation behavior is termed as a EFP shutdown.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security violation restrict or mac security violation protect

8. mac security

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/subslot/port

or

interface tengigabitethernet slot/subslot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

service instance id Ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-if-srv)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

mac security violation restrict
or
mac security violation protect

 

Router(config-if-srv)# mac security violation restrict

Sets the violation mode to restrict or protect.

The no version of this command sets the violation response back to default (default is shutdown). In the Restrict scenario, the packets are dropped and an error message is displayed about the log warning level; in the Protect scenario, the packets are silently dropped and no messages are displayed.

Step 8

mac security

 

Router(config-if-srv)# mac security

Enables MAC Security on the EFP.

Examples

This example configures a restrict violation response on EFP.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security violation restrict

Router(config-if-srv)# mac security

Error Recovery

This section describes how to recover from violation causing an EFP shutdown (default violation response) and contains the following sections:

Manual recovery

Automatic recovery

Manual Recovery

For manual recovery, use the clear ethernet service instance id id interface interface-name errdisable command to bring the service instance out of an error disabled state as shown below:

Router# enable

Router# configure terminal

Router# clear ethernet service instance id 10 interface gi1/1 errdisable

Automatic recovery

For automatic recovery, use the errdisable recovery cause mac security command. You must specify the timer interval. The valid value is from 30 to 86400 second. In the configuration example that follows, the EFP recovers 60 seconds after the violation causes the shutdown.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security

Router(config-if-srv)# errdisable recovery cause mac-security 60

Verification

Use the following commands to verify operation.

 

Command
Purpose

Router# show ethernet service instance id id interface interface mac security address

Displays the secure addresses on the specified EFP.

Router# show ethernet service instance id id interface interface mac security last violation

Displays the last violation recorded on the specified EFP.

Router# show ethernet service instance id id interface interface mac security statistics

Displays the number of allowed and actual secured address and the number of violations recorded on the EFP.

Router# show ethernet service instance id id interface interface mac security

Displays the MAC Security status of the specified EFP.

Router# show ethernet service instance mac security address

Displays the secure addresses on all the EFPs in the system.

Router# show ethernet service instance mac security last violation

Displays information about the last violation recorded on the device (across all service instances) and information about the last violation recorded on each of the service instances.

Router# show ethernet service instance mac security statistics

Displays the number of allowed and actual secured addresses, as well as the number of violations recorded on all the EFPs in the system.

Router# show ethernet service instance mac security

Displays all the EFPs in the system that have MAC Security enabled.

Router# show bridge-domain id mac security address

Displays the secure addresses on all EFPs belonging to the specified bridge domain.

Router# show bridge-domain id mac security last violation

Displays information about the last violation recorded on each of the service instances belonging to the bridge domain.

Router# show bridge-domain id mac security statistics

Displays the number of allowed and actual secured addresses, as well as the number of violations recorded on all the EFPs that belong to the specified bridge domain.

Router# show bridge-domain id mac security

Displays all the EFPs that belong to the specified bridge domain, and that have MAC Security enabled.

Troubleshooting

Table 4-17 provides troubleshooting solutions for the MAC Security feature.

Table 4-17 Troubleshooting Scenarios for MAC Security feature

Problem
Solution

MAC security errors on the RP

Use the debug ethern serv instance id id interface int mac sec errors and debug ethern serv instance id id interface int mac table errors commands. Share the output with TAC for further investigation.

MAC security errors on the SP

Use the debug ethernet service instance mac security errors and debug ethernet service instance mac table errors commands to troubleshoot mac security issues on the RP.

EFP is disabled and is unable to automatically recover from error disable state

Use the errdisable recovery cause mac-security interval or clear ethernet service instance id id interface interface-name errdisable commands to re-enable the EFP.

Mac security aging timer is inactive

When mac security aging time inactivity is configured, the hardware mac table aging timer for the EFP VLAN is set with the configuration command mac address-table aging-time time [vlan <vlan id>] command. To resolve the aging timer inactivity, re-set the aging time to the default value of 300 seconds.

CFM and PVST Co-Existence

Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation. Currently, Ethernet CFM supports inward facing and outward facing Maintenance Endpoints (MEPs). For information on Ethernet Connectivity Fault Management, see http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html .

The CFM and PVST Co-Existence feature allows Per Vlan Spanning Tree (PVST) and CFM to co-exist on Cisco 7600 series routers.

The CFM and PVST Co-Existence feature makes use of these Ethernet components:

  • Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network.
  • Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface.

Each EFP is identified with an EVC. An EVC ID is globally unique within a network. In addition, an EFP is associated with one bridge domain. All the EFPs in a bridge domain belong to the same EVC (when specified).

For EFPs, untagged, single-tagged, and double-tagged encapsulations exist with dot1q, QinQ, and IEEE dot1ad Ether types. Different EFPs belonging to a bridge domain can have different encapsulations.

Restrictions and Usage Guidelines

When configuring CFM and PVST Co-Existence, follow these restrictions and usage guidelines:

  • The following line cards and supervisors that have three or more match registers are supported:

ES20 line cards

ES+ line cards

RSP720-3C-10GE and

Supervisor Engine 32

WS-X67xx line cards (with supported supervisor)

  • Generic VLAN Registration Protocol (GVRP) and CFM coexistence is also supported
  • The following co-existing configurations are supported:

PVST and CFM; you must configure PVST before configuring CFM

Generic VLAN Registration Protocol (GVRP) and CFM; you must configure GVRP before configuring CFM

PVST and GVRP; there is no restriction for the order of configuration.

  • CFM uses two match registers to identify the control packet type; PVST also uses a match register to identify its control packet type. So in order for both protocols to work on the same system each line card needs to support three match registers, at least one being able to support only a 44 bit MAC match.

This message is displayed when no match registers are available.

CFM is enabled system wide except on supervisor ports due to spanning tree configuration on supervisor ports for CFM due to hardware limitations on these ports. Continued with enabling CFM system-wide to allow coexistence with other protocols such as PVST.

Administrator action may be required. Ensure no CFM traffic is presented to any supervisor ports via configuration. If not possible configure STP mode to MST and re-enable CFM or disable CFM completely.
 

This message is displayed when the 48 bit match register is not available.

CFM is enabled system wide except it's disabled on supervisor ports due to spanning tree or GVRP configuration. Unable to program all port ASIC MAC match registers on supervisor ports for CFM due to hardware limitations on these ports. Continued with enabling CFM system-wide to allow coexistence with other protocols such such as PVST or GVRP.System has handled this by disabling CFM on all supervisor ports. If this is unacceptable configure STP mode to MST and re-enable CFM or disable CFM completely.

This message is displayed, if after configuring PVST-CFM or GVRP-CFM co-existence, an attempt is made to power up an unsupported line card or to insert an unsupported line card into the router:

Unsupported module in slot 3, power not allowed: Module has insufficient match registers. Enabled relevant protocols include SSTP CFM_MULTICAST.


Note Slot 3 in the above message refers to the module with unsufficient match registers.


Configuring PVST and CFM Co-Existence


Note PVST mode is the default spanning-tree mode. It is enabled when you boot the router.



Note You cannot disable PVST spanning-tree mode or MST spanning-tree mode with the no versions of the spanning-tree mode mst or spanning-tree mode pvst commands; you must enable the other spanning-tree mode to disable the existing spanning-tree mode. For example, if you want to disable the MST spanning-tree mode, you must enable the PVST spanning-tree mode.


SUMMARY STEPS

1. enable

2. configure terminal

3. spanning-tree mode pvst

4. ethernet cfm enable

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

spanning-tree mode pvst

 

Router(config)# spanning-tree mode pvst

Configures Per-VLAN Spanning Tree+ (PVST+) mode.

Step 4

ethernet cfm enable

 

Router(config)# ethernet cfm enable

Enables connectivity fault management (CFM) processing globally on a device.

The following example configures PVST and CFM Co-Existence:

Router# enable
Router# configure terminal
Router(config)# spanning-tree mode pvst
Router(config)# ethernet cfm enable

Configuring GVRP and CFM Co-Existence

SUMMARY STEPS

1. enable

2. configure terminal

3. gvrp global

4. ethernet cfm enable

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

gvrp global

 

Router(config)# gvrp global

Enable GVRP globally.

Step 4

ethernet cfm enable

 

Router(config)# ethernet cfm enable

Enables connectivity fault management (CFM) processing globally on a device.

The following example configures GVRP and CFM Co-Existence:

Router# enable
Router# configure terminal
Router(config)# gvrp global
Router(config)# ethernet cfm enable

Configuring PVST and GVRP Co-Existence

SUMMARY STEPS

1. enable

2. configure terminal

3. gvrp global

4. spanning-tree mode pvst

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

gvrp global

 

Router(config)# gvrp global

Enable GVRP globally.

Step 4

spanning-tree mode pvst

 

Router(config)# spanning-tree mode pvst

Configures Per-VLAN Spanning Tree+ (PVST+) mode.

The following example configures PVST and GVRP Co-Existence:

Router# enable
Router# configure terminal
Router(config)# ethernet cfm enable
Router(config)# spanning-tree mode pvst

Verification

Use the following commands to verify operation.

 

Command
Purpose

Router# show running configuration

Displays the contents of the current running configuration file or the configuration for a specific module.

Router# remote command switch show platform mrm info

Displays protocols using port ASIC match registers. However, the feature will not be enabled if the match registers are not programmed.

Custom Ethertype for EVC Interfaces

The custom ethertype feature allows you to configure the ethertype to be used for outer tag for dot1q and QinQ packets. By default, the Cisco 7600 series router supports ethertype 0x8100 for dot1q and QinQ outer tags. The following ethertype can be configured under a physical port:

  • 0x8100 – 802.1q
  • 0x9100 – Q-in-Q
  • 0x9200 – Q-in-Q, and
  • 0x88a8 – 802.1ad

You can use the dot1 q tunneling ethertype ethertype-value command to configure the custom ethertype within a physical port.

In the following sample configuration, ethertype is set to 0x9100, service instance is created, and Rewrite process is initiated:

interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance <number> ethernet
encapsulation dot1q <vlan 1> [second-dot1q <vlan 2>]
Rewrite <Rewrite>

Note 802.1q (0x8100) is the default ethertype setting.



Note Cisco IOS Release 12.2(33)SRE adds support for custom ethertype to port-channels.


Supported Rewrite Rules for a Custom Ethertype Configuration

Rewriting allows you to add or remove VLAN tags in the packets transferred between two customer sites in the service provider networks.

The following types of Rewrites are supported on a Network Network Interface (NNI):

  • Non-Range on C-Tag on NNI
  • Range on C-Tag on NNI

Supported Rewrites for Non-Range on C-Tag with a NNI

When Custom Ethertype is configured within the NNI physical interface and VLAN range is not specified, the following Rewrites are supported for a provider bridge:

  • For “encapsulation untagged”:

No Rewrite

Rewrite ingress tag push dot1q <vlan1> [second-dot1q <vlan2>] symmetric

  • For “encapsulation default”:

No Rewrite

  • For “encapsulation dot1q <vlan>”:

No Rewrite

Rewrite ingress tag pop 1 symmetric

Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric, and

Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric

  • For “encapsulation dot1q <vlan1> second-dot1q <vlan2>”:

No Rewrite

Rewrite ingress tag pop 1 symmetric

Rewrite ingress tag pop 2 symmetric

Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric

Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric

Rewrite ingress tag translate 2-to-1 dot1q <vlan> symmetric, and

Rewrite ingress tag translate 2-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric

Supported Rewrites for Range on C-Tag with a NNI

When a VLAN range is specified on the C-Tag, push Rewrites are not supported. The following Rewrites are supported for VLAN range on C-Tag:

  • For “encapsulation dot1q <vlan1 – vlan2>”:

No Rewrite

  • For “encapsulation dot1q <vlan1> second-dot1q <vlan2 – vlan3>”:

No Rewrite

Rewrite ingress tag pop 1 symmetric

Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric

Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric


Note To avoid hierarchical provider bridges when any Custom Ethertype is configured, NNI interface does not support “ingress push” Rewrite except for “encap untagged”.


Restrictions and Usage Guidelines

When configuring Custom Ethertype, follow these restrictions and usage guidelines:

  • If a custom ethertype is configured on the port-channel, the same ethertype is implicitly configured for all the other member interfaces.
  • You cannot configure Custom ethertype explicitly under a member interface of a port-channel.
  • An interface configured with custom ethertype cannot be a part of port-channel.
  • An ES+ port configured with custom ethertype cannot become member of port-channel.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface port-channel number

4. dot1q tunneling ethertype [0x9100|0x9200|0x88A8]

5. [no] service instance id {Ethernet [service-name]}

6. [no] encapsulation untagged, dot1q {any | vlan-id[vlan-id[vlan-id]]} second-dot1q {any |vlan-id[vlan-id[vlan-id]]}

7. Rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id}| 2-to-1 dot1q vlan-id }| 1-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id}} symmetric

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.

Step 4

dot1q tunneling ethertype [0x9100 | 0x9200 | 0x88A8]

 

Router(config-if)# dot1q tunneling ethertype 0x88A8

Configure Custom Ethertype as 9100, 9200, or 88A8 within the physical interface as all service instances under physical interface use the configured ethertype.

Step 5

service instance id ethernet [service-name]

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 6

encapsulation untagged dot1q {any | vlan-id[vlan-id[vlain-id]]} second-dot1q {any | vlan-id[vlan-id[vlan-id]]}

 

Router(config-if-srv)# encapsulation dot1q 100 second dot1q 200

Defines the matching criteria that maps the ingress dot1q, QinQ, or untagged frames on an interface for the appropriate service instance.

Step 7

Rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id}| 2-to-1 dot1q vlan-id }| 1-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | 2-to-2 {dot1qvlan-id second-dot1q vlan-id dot1q vlan-id}} symmetric

 

Router(config-if-srv)# Rewrite ingress tag push dot1q 20

Specifies the Rewrite operation.

Examples

Single Tag Encap with Connect with Custom Ethertype Configured

In the following example, Custom Ethertype is configured on a single tag encap using the connect configuration:

 
Router#sh running-config int Gi1/1
//Building configuration...
interface GigabitEthernet 1/1
no ip address
dot1q tunneling ethertype 0x9100
no mls qos trust
service instance 1 ethernet
encapsulation dot1q 10
 
Router#sh running-config int Gi1/2
no ip address
dot1q tunneling ethertype 0x9100
mls qos trust dscp
service instance 1 ethernet
encapsulation dot1q 10
Router)# connect LC1 GigabitEthernet 1/1 1 GigabitEthernet 1/2 1

Single Tag Encap with Bridge Domain

In the following example, Custom Ethertype is configured on a single tag encap using bridge domain configuration:

Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
no ip address
dot1q tunneling ethertype 0x9100
no mls qos trust
service instance 1 ethernet
encapsulation dot1q 10
bridge-domain 100
Router#sh running-config int Gi1/2
interface GigabitEthernet 1/2
no ip address
dot1q tunneling ethertype 0x9100
mls qos trust dscp
service instance 1 ethernet
encapsulation dot1q 10
bridge-domain 100

Single Tag Encap with XConnect

In the following example, Custom Ethertype is configured on a single tag encap with xconnect configuration:

 
Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
no ip address
dot1q tunneling ethertype 0x9100
no mls qos trust
service instance 1 ethernet
encapsulation dot1q 10
xconnect 3.3.3.3 10 encapsulation mpls
 
Router#sh running-config int Gi1/2
interface GigabitEthernet 1/2
ip address 10.10.10.2 255.255.255.0
no mls qos trust
mpls label protocol ldp
mpls ip

Custom Ethertype Support with Sub Interfaces

In this example, Custom Ethertype is configured on a sub interface. Custom Ethertype is always configured within the main physical interface and QinQ encap is configured within the subinterface.

Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
no ip address
dot1q tunneling ethertype 0x9100
no mls qos trust
end
interface GigabitEthernet 1/1.10
encapsulation dot1Q 10 second-dot1q 20
ip address 20.20.20.2 255.255.255.0
end

Verification

Use the following commands to verify operations.

 

Command
Purpose

Router# show ethernet service instance [id instance-id | interface interface-id | interface interface-id] [detail]

Displays information about:

  • Specific EVCs if an EVC ID is specified
  • All the EVCs on an interface if an interface is specified.

The detailed option provides additional information about the EVC. This can be given on RP and LC consoles to determine Custom Ethertype configured under a physical port.

Troubleshooting

Table 4-18 provides troubleshooting solutions for the Custom Ethertype feature.

Table 4-18 Troubleshooting Scenarios

Problem
Solution

Error in custom ethertype programming for all the UP links

Use the show platform npc xlif channel-id port < port sram line command to verify if the port-sram is programmed correctly and displays the configured ethertype. Share the output with TAC for further investigation.

Incorrect programming of cusom-ethertype in a port-channel subinterface

Use the show vlan internal usage command to trace errors related to custom etherytype programming and find the internal VLAN allocated to the sub-interface. You can use the internal VLAN to verify if the XLIF entry is present in the ES40 line card. Use this to verify if the custom ethertype is properly programmed in the XLIF.

Unknown errors and events on the port channel

Use the debug platform port-channel [ event, error] command to trace the port channel events and errors. Share the output with TAC for further investigation.

GE LAG with LACP on UNI with Advanced Load Balancing

The GE Link Aggregation with Advanced Load Balancing feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.

If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.

This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.

Restrictions and Usage Guidelines

When configuring GE Link Aggregation with Advanced Load Balancing, follow these guidelines and restrictions:

  • When the user configures a link ID for a port-channel member link and configures that member link as the preferred egress link for some service instances in that port-channel, there is redistribution of traffic. The redistribution is such that:

Service instances that were configured to be sent over the preferred egress member link is sent over the preferred member link. This is expected behavior.

Redistribution of traffic for which the user has not configured preferred member link happens. The way this redistribution happens is as follows:

For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,

Member 1—Load share bit 0, Member 2—Load share bit 1,

Member 3—Load share bit 2, Member 4—Load share bit 3,

Member 5—Load share bit 4, Member 6—Load share bit 5,

Member 6—Load share bit 6, Member 7—Load share bit 7.

Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,

Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)

Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.

The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.

Configuring GE Link Aggregation with Advanced Load Balancing

This section describes how to configure GE LAG with LACP on UNI with Advanced Load Balancing.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. channel-group channel-group-number mode {active | on | passive} link id

5. exit

6. interface port-channel number

7. [no] service instance id {Ethernet [service-name]}

8. encapsulation dot1q vlan-id [second-dot1q vlan-id]

9. exit

10. exit

11. interface port-channel number

12. [no] port-channel load-balance link ID

13. [no] backup link ID_list

14. [no] service-instance service_instance_list

15. [no] group service_group_list

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

channel-group channel-group-number mode {active | on | passive} link id

 

Router(config-if)# channel-group 2 mode on link 3

Assigns and configures an EtherChannel interface to an EtherChannel group.

Step 5

exit

 

Router(config-if)# exit

Exits the current configuration mode.

Step 6

interface port-channel number

 

Router(config)# interface port-channel 11

Creates the port-channel interface.

Step 7

[no] service instance id {Ethernet [service-name]}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of a service instance) on an interface and sets the device into the config-if-srv submode.

Step 8

encapsulation dot1q vlan-id [second-dot1q vlan-id]

 

Router(config-if-srv)# encapsulation dot1q 10

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 9

exit

 

Router(config-if-srv)# exit

Exits the current configuration mode.

Step 10

exit

 

Router(config-if)# exit

Exits the current configuration mode.

Step 11

interface port-channel number

 

Router(config)# interface port-channel 11

Creates the port-channel interface.

Step 12

[no] port-channel load-balance link ID

 

Router(config-if)# port-channel load-balance link 3

Configures the specified member link interfaces for load-balancing the port-channel's egress traffic and enters the load-balancing configuration submode.

Step 13

[no] backup link ID_list

 

Router(config-if-lb)# backup link 7

Configures a list of member links to use as backup for the primary load-balancing member link.

You can create multiple backup links using the backup link command. The backup links are used in order of configuration if a Port-channel member is down. A default platform algorithm is used to find the backup links if all the configured backup links are down.

Step 14

[no] service-instance service_instance_list

 

Router(config-if-lb)# service-instance 10

Defines the set of service Ethernet instances whose traffic should egress over the member link identified by configuration in Step 12.

Step 15

[no] group service_group_list

 

Router(config-if-lb)# group 10

Defines the Ethernet service groups that will be load-balanced over an interface.

Example

The following example shows four member links across two different channel-groups:

Router(config)# interface Gi0/1
Router(config-if)# channel-group 1 mode on link 3
 
Router(config)# interface Gi0/2
Router(config-if)# channel-group 1 mode on link 4
 
Router(config)# interface Gi0/3
Router(config-if)# channel-group 2 mode on link 3
 
Router(config)# interface Gi0/4
Router(config-if)# channel-group 2 mode on link 7
 
Router(config)# interface Port-channel1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if-srv)# service instance 20 ethernet
Router(config-if-srv)# encapsulation dot1Q 20
Router(config-if-srv)# service instance 60 ethernet
Router(config-if-srv)# group 10
Router(config-if-srv)# service instance 70 ethernet
Router(config-if-srv)# group 10
 

Additional service instance definitions follow:

Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 4
Router(config-if-lb)# service-instance 10,20-22
Router(config-if)# port-channel load-balance link 4
Router(config-if-lb)# service-instance 30-40
Router(config-if-lb)# group 10
 
Router(config)# interface Port-channel2
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 7
Router(config-if-lb)# service-instance 10
 

Verification

Use the following commands to verify operation.

 

Table 4-19 Commands for Displaying Traffic Storm Control Status and Configuration

Command
Purpose

Router# show ethernet service instance interface interface load-balance

Displays the current egress member-link assignments for service instances configured with port-channel load-balancing.

Router# show ethernet service instance id efp interface port-channel group detail

Displays detailed status for the specified service instance, including the egress member-link assignment, if any.

Troubleshooting Load Balancing Features

Table Table 4-20 provides troubleshooting solutions for the LoadBalancing features.

Table 4-20 Troubleshooting Scenarios

Problem
Solution

Link group creation command is rejected with an error message “Incomplete command".

Re-configure the link group with the specific link ID and these keywords:

  • port-channel load-balance link: << Missing link ID>>
  • no port-channel load-balance link : << Missing link ID>>
  • default port-channel load-balance link: << Missing link ID
  • port-channel load-balanc e: << Missing 'link' keyword
  • port-channel: << Missing 'load-balance' keyword>>

Error message “Invalid input detected".

Re-configure the link group with valid IDs.

Back up link command is rejected and an error message displayed

Ensure that:

  • The back up link ID does not overlap with the primary link ID.
  • You have not exceeded the permissible number of back up links.
  • You have not entered a sub-mode command in a deleted load-balance group.

Invalid input

  • Execute the show run command to confirm if duplicate back up link IDs exists between two link groups.
  • Ensure that the configured EFPs have valid IDs.
  • Ensure that you have not configured an existing EFP ID in a different link group.

Member link is disabled

Use the show etherchannel port-channel command to verify the load share of each member link. Study the derived output and share the information with TAC for further investigation.

Traffic is not dsitributed equally among all members (Port channel load balancing issue)

Use the show ethernet service instance interface port-channel load-balance command to verify the load balancing information for all the port channels. Share the output with TAC for further investigation.

Traffic is not dsitributed equally among all members (EFP load balancing issues)

Use the show ethernet service instance id efp interface port-channel group detail command to verify and display the the load balancing information for the EFPs. Share the output with TAC for further investigation.

Storm Control on Switchports and Ports Having EVCs

A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast or multicast traffic storm on physical interfaces. The traffic storm control level is set as a percentage of the total available bandwidth of the port.

For information on LAN-based Ethernet line card Broadcast Storm Control, see the chapter ‘Configuring Traffic Storm Control’ in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide at: http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/storm.html .

This feature implements a mechanism to detect and control broadcast/multicast congestion/storm scenario via rate control mechanism in ES line cards.

Storm control for ES20 and ES+ cards is supported on:

  • Switchports

Note Layer 3 (routed port) to Layer 2 (switchport) conversion is allowed only when there are no subinterfaces configured on the port.


  • Ports with EVC configurations

The feature is per port, not per EVC. Hence, all EVCs under the port are subject to the same storm control rate.

In Cisco IOS Release 15.0(1)S, the following storm control feature enhancements are covered on 67xx, 6196, ES20 and ES+ line cards:

  • Port-channel interfaces: Support for port-channel interfaces on ES20 and ES+ line cards.
  • Shutdown: When a storm is detected and the storm traffic exceeds the accepted threshold, the affected interface moves to error disable state. The traffic threshold is calculated as a percentage of the total bandwidth of the port (%BW). Use the error disable detection and the recovery feature, or the shut or no shut command to re-enable the port on the affected interface.
  • Trap: An SNMP trap can be sent when a storm is detected.

Detecting a Broadcast Storm

A broadcast storm is detected when the following occurs:

  • The port receives multicast and broadcast traffic beyond its configured bandwidth.
  • The value of the TotalSuppDiscards counter increments. This value is displayed when you use the show interface gigabitEthernet <s lot/port > counters storm-control command.

Restrictions and Usage Guidelines

Use the following guidelines and restrictions while configuring traffic storm control:


Note These restrictions and usage guidelines apply only to the Cisco 7600 Series ES+ line cards.


  • Traffic storm control is disabled by default.
  • Unicast storm control is not supported.
  • Storm control on Layer 3 interfaces is not supported.
  • Storm control feature cannot be configured at the EVC Level.
  • Storm control rate can not be specified in Packets/Second (PPS).
  • The broadcast and multicast suppression share the same suppression rate, therefore, when you configure a different rate either for broadcast or multicast the new rate will apply to broadcast and multicast.
  • Storm control feature is not supported on the member interfaces of a port channel.
  • Untagged frames can be subjected to storm control by having a service instance which marks all untagged frames. Once such a service instance is created, these frames behave like any storm control on any other EVC.
  • Specify the level as a percentage of the total interface bandwidth:

The level can be from 0 to 100.

The optional fraction of a level can be from 0 to 99.

100 percent means no traffic storm control.

0.0 percent suppresses all traffic.

You can specify the percentage rate to allow in units of 0.01%.

  • The maximum storm control rate is 4 Gbps (on 10 Gigabit interfaces it can be 40% of line rate)
  • Storm control works in switchport dot1q-tunnel mode.
  • When storm control is applied on an interface that has an inbound Layer 2 ACL applied, all packets are dropped irrespective of the configured suppression level.
  • Any additions or changes made to the storm control configuration on the port-channel interface is automatically updated across all the port-channel member-links.
  • Storm control configuration or deletion is not allowed on member-links.
  • You can add an interface to a port-channel if the storm control configuration on the interface and the port-channel are alike.

You can either club member-links to form a port- channel and then configure the port-channel or change the storm control configuration on the interface to match with the port-channel, before adding it to the port-channel.

  • Using the default interface command twice, removes the storm control feature from a member-link interface.
  • Storm control is supported on ES+ line cards on routed or L3 interfaces from Release 15.0(1)S onwards.
  • Except for BPDUs (STP), traffic storm control does not differentiate between control traffic and data traffic. For Cisco Discovery Protocol (CDP) or VLAN Trunk Protocol (VTP), a multicast suppression level of 0% suppresses even CDP or VTP packets although STP BPDUs are not suppressed by storm control.

Configuring Storm Control on Ports with EVC Configurations

This section describes how to configure storm control on ports with EVC configurations.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. [no] service instance id {Ethernet service-name}

5. encapsulation dot1q vlan-id

6. [no] bridge-domain bridge-id

7. storm-control {broadcast | multicast} level level[.level]

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

[no] service instance id Ethernet [service-name}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 13

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

[no] bridge-domain bridge-id

 

Router(config-subif)# bridge domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Step 7

storm-control {broadcast | multicast} level level[.level]

 

Router(config-if)# storm-control broadcast level 30

Sets the storm control suppression level.

Example

This example shows a configuration for ports with EVCs on them:

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 4/1
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 10

Router(config-if)# storm-control multicast level 45

Configuring Storm Control on Switchports

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. switchport

5. switchport mode {access | dot1q-tunnel | dynamic {auto | desirable} | private-vlan | trunk}

6. storm-control {broadcast | multicast} level level[.level]

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

switchport
 
Router(config-if)# switchport

Sets the switching characteristics of the Layer 2-switched interface.

Step 5

switchport mode {access | dot1q-tunnel | dynamic {auto | desirable} | private-vlan | trunk}
 
Router(config-if)# switchport mode trunk

Sets the interface type.

Step 6

storm-control {broadcast | multicast} level level[.level]

 

Router(config-if)# storm-control broadcast level 30

Sets the storm control suppression level.

Example

This example shows a configuration for ports with switchport configuration:

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 4/1
Router(config)# switchport
Router(config)# switchport mode trunk
Router(config)# storm-control multicast level 45
 

Configuring Storm Control on Port Channels

Perform the following tasks to configure storm control on port channels:

SUMMARY STEPS

1. enable

2. configure terminal

3. snmp-server enable traps storm-control trap-rate trap-rate

4. interface type slot/bay/port

5. storm-control {{broadcast | multicast} level level | action {shutdown | trap}}

6. end

7. show interfaces type/slot/port counters storm-control

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

snmp-server enable traps storm-control trap-rate trap-rate

 

Router(config)# snmp-server enable traps storm-control trap-rate 2

(Optional) Enables SNMP storm control trap parameters. The trap-rate range is 0 to 1000 traps per minute. However, the number of traps generated for storm control cannot exceed six per minute (by design).

Step 4

interface type slot/bay/port

 

Router(config)# interface port-channel 1/0/18

Selects an interface to configure.

Step 5

storm-control {{ broadcast | multicast } level level | action { shutdown | trap }}

 

Router(config-if)# storm-control broadcast level 50

 

Router(config-if)# storm-control action shutdown

Sets the broadcast and multicast suppression level for traffic storm control on the interface. Enables an action for traffic storm control the interface, such as, shuts down an interface or sends an SNMP trap. However, broadcast or multicast level suppression must be enabled before setting the action.

Note A suppression level of 100% means no suppression will occur and 0% suppression means no traffic of the suppressed type will be allowed.

The no form of the command disables storm control for broadcast or multicast traffic or disables the specified storm-control action, on the selected interface.

Note Unicast level traffic suppression is not supported on port channel interface.

Step 6

end

Exits the configuration mode.

Step 7

show interfaces type/slot/port counters storm-control

 

Router# show interfaces gigabitEthernet 4/1 counters storm-control

Displays the total number of packets (%) discarded for the three traffic storm control levels (broadcast, multicast and unicast) on the specified interface.

Displays the statistics for the TotalSuppDiscards counter. This counter increments whenever a traffic storm occurs.

For more information regarding the commands, see the following command reference guides:

Example

The following is a sample configuration for storm control on a Layer 2 port channel on the ES+ line card:

interface Port-channel22
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
interface GigabitEthernet2/13
switchport
switchport mode trunk
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
channel-group 22 mode on
interface GigabitEthernet2/21
switchport
switchport mode trunk
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
channel-group 22 mode on

 

Use the show interfaces interface counters storm-control command to display the total suppression percentage of packets for the broadcast, multicast and unicast storm control traffic on all interfaces or on a specified interface. The storm control shutdown on an interface depends on the ‘TotalSuppDiscards’ counter (displayed in the example). This counter increments when a traffic storm occurs.

Router# show interfaces counters storm-control
 
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/1 100.00 100.00 100.00 0
Gi1/2 100.00 100.00 100.00 0
Gi1/3 100.00 100.00 100.00 0
Gi1/4 100.00 100.00 100.00 0
Gi1/5 100.00 100.00 100.00 0
Gi1/6 100.00 100.00 100.00 0
Gi1/7 100.00 20.00 20.00 2943374677
Gi1/8 100.00 100.00 100.00 0
Gi1/9 100.00 100.00 100.00 0
Gi1/10 100.00 100.00 100.00 0
Gi1/11 100.00 100.00 100.00 0
Gi1/12 100.00 100.00 100.00 0
Gi1/13 100.00 100.00 100.00 0
Gi1/14 100.00 100.00 100.00 0
Gi1/15 100.00 100.00 100.00 0
Gi1/16 100.00 100.00 100.00 0
Gi1/17 100.00 100.00 100.00 0
Gi1/18 100.00 100.00 100.00 434529474
Gi1/19 100.00 100.00 100.00 0
Gi1/20 100.00 100.00 100.00 0
Gi1/21 100.00 100.00 100.00 0
 
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/22 100.00 100.00 100.00 499018427
Gi1/23 100.00 100.00 100.00 0
Gi1/24 100.00 100.00 100.00 0
Gi1/25 100.00 100.00 100.00 0
Gi1/26 100.00 100.00 100.00 0
Gi1/27 100.00 100.00 100.00 0
Gi1/28 100.00 100.00 100.00 0
Gi1/29 100.00 100.00 100.00 0
Gi1/30 100.00 100.00 100.00 0
Gi1/31 100.00 100.00 100.00 0
Gi1/32 100.00 100.00 100.00 0
Gi1/33 100.00 100.00 100.00 0
Gi1/34 100.00 100.00 100.00 0
Gi1/35 100.00 100.00 100.00 0
Gi1/36 100.00 100.00 100.00 0
Gi1/37 100.00 100.00 100.00 0
Gi1/38 100.00 100.00 100.00 0
Gi1/39 100.00 100.00 100.00 0
Gi1/40 100.00 100.00 100.00 0
 
Router#
Router# show interfaces gig1/18 counters storm-control
 
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/18 100.00 100.00 100.00 434529474

Verification

Use the following commands to verify operation.

 

Table 4-21 Commands for Displaying Traffic Storm Control Status and Configuration

Command
Purpose

Router# show interfaces [{ type 1 slot/port } | switchport]

Displays the administrative and operational status of all Layer 2 LAN ports or the specified Layer 2 LAN port.

Router# show interfaces [{ type 1 slot/port } | counters storm-control

 

Router# show interfaces counters storm-control [ module slot_number ]

Displays the total number of packets discarded for all three traffic storm control modes, on all interfaces or on the specified interface.

1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

Storm Control over EVC

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic, and degrading network performance.

Currently for ports where EVCs are configured, storm control can be configured per port. When you configure storm control on a port, policing is applied on all the traffic on that port. Each EVC in a port represents different types of customers such as different businesses or business and individuals on the same port. When a traffic storm occurs, all traffic on the port is blocked impacting customers on all the EVCs . To prevent this, service providers need to combine similar types of customers on the same port.

Effective with Cisco IOS 15.2(2)S, storm control is supported on EVCs and policing can be applied at the EVC level. This feature enables service providers to combine different type of customers on the same port.

Restrictions for Storm Control over EVC

Following restrictions apply to storm control over EVC:

  • Storm control over EVC can be configured on connect, cross connect and bridge-domain interfaces.
  • Storm control is supported on port channel EVCs.
  • Storm control over EVC can be configured only for broadcast or multicast packets, not for unicast packets.
  • If storm control is already configured at the port level, you cannot configure storm control over EVC and vice versa.
  • When an EVC moves to the error-disable state, auto-recovery can be configured for storm-control after a certain pre-determined interval.
  • Storm control over EVC is supported only on the Cisco 7600 ES+ line card.
  • SNMP trap is not supported.
  • If storm control is enabled on a port channel EVC, the configuration is applied per network processor (NP).
  • Only 256 policer profiles are supported per network processor.
  • QoS and storm-control share the same hardware policer resources.

Configuring Storm Control over EVC

Perform these steps to configure storm control over EVC feature.

Summary Steps

1. enable

2. configure terminal

3. interface type number

or

interface port-channel number

4. service instance id ethernet

5. encapsulation dot1q vlan-id

6. storm control {{broadcast | multicast} cir cir| action shutdown}

7. bridge-domain bridge-id

8. end

Detailed Steps

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode. If prompted, enter your password.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

or

interface port-channel number

 

Router(config)# interface gigabitethernet 4/1

Specifies the gigabit ethernet or the ten gigabit ethernet interface, or port channel to configure.

  • slot/port—Specifies the location of the interface.
  • number — Specifies the port channel interface.

Step 4

service instance id Ethernet [service-name}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of an EVC) on the interface.

Step 5

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 100

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 6

bridge-domain bridge-id

 

Router(config-subif)# bridge-domain 12

Binds the service instance to a bridge domain instance where bridge-id is the identifier.

Step 7

storm-control {{broadcast | multicast} cir cir-value | action shutdown }

 

 

Router(config-if)# storm-control broadcast cir 11000000

Sets the storm control rate for broadcast or multicast. Enables an action for traffic storm control on the interface, such as, shutting down an interface.

cir-value - The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. The recommended maximum value is up to 98 percent.

Step 8

end

 

Router(config-if)# end

Exits the configuration mode.


Note When the ingress packets exceed the configured rate, the EVC moves to error-disable state if the action is configured as shutdown. You can configure the EVC to move to up state after a certain interval using errdisable recovery casue storm-control interval command. The accepted interval varies from 30 to 86400 seconds.


Examples

This example shows how to configure storm control over an EVC.

Router# enable
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# bridge-domain 200

Router(config-if-srv)# storm-control broadcast cir 11000000

Router(config-if)# end

This example shows how to configure storm control over a port channel EVC.

Router# enable
Router# configure terminal
Router(config)# interface port-channel 1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 200
Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# storm-control multicast cir 11000000

Router(config-if)# end

Verification

Use the show ethernet service instance id id interface type slot/port stats command to verify the storm control over EVC configuration.

Router# show ethernet service instance id 1204 interface gigabit ethernet 2/7 stats
Port maximum number of service instances: 8000
Service Instance 1204, Interface GigabitEthernet2/7
Pkts In Bytes In Pkts Out Bytes Out
2262238 452447600 150570 30114000

StormControl Discard Pkts: 1809909

Asymmetric Carrier-Delay

During redundant link deployments where the remote network element is enabled, a link or port may be displayed as up before the port or link is ready to forward data. This anomaly leads to traffic loss during switchover as up events are notified faster than the required routing protocol convergence time. With existing conventional carrier delay, both up and down events are notified within equal time that might not be feasible in certain network deployments. Asymmetric carrier-delays ensure stable topologies compared to conventional carrier-delay implementation.

Table 4-22 lists the differences between the conventional carrier-delay and asymmetric carrier-delay implementations.

Table 4-22 Conventional Carrier-delay versus Asymmetric Carrier-delay

Conventional carrier-delay implementation
Asymmetric carrier-delay implementation

You can configure carrier-delay on a main physical interface.

You can configure asymmetric carrier-delay on a main physical interface.

The default value for configuring symmetric carrier delay is 10 milliseconds.

The default values for configuring asymmetric carrier-delay is as follows:

For ES+ GE linecards:

  • up time is 300 milliseconds.
  • down time is 10 milliseconds.

For ES+ 10 GE linecards:

  • up time is 1000 milliseconds.
  • down time is 10 milliseconds.

You can configure a single delay value used by both up and down events.

You can configure separate delay values for each down and up timers.

Traffic losses and timer optimization issues due to single configurable delay values for both up and down events.

Optimal timer configurations are achieved due to separate for timer values for up and down events.

Restrictions and Usage Guidelines

  • The minimum valid carrier-delay down time that user can configure is 11 milliseconds for Gigabit ports. By default, carrier-delay is configured to 10 milliseconds during a card bootup. However, even if you configure a value less than 11 milliseconds , there will not be any impact on the carrier delay.
  • As the fast link feature and carrier-delay features are mutually exclusive, fast link feature is enabled by default.
  • If you configure carrier-delay values, fast link feature is disabled on a line card.
  • Though the fast link feature is configured by default in the card, the carrier-delay feature overwrites the fast link feature when configured.
  • If you have not configured the carrier-delay values, fast link feature values are utilized for down event notification.

Note If you are using Cisco IOS release version 12.2(33) SRE or prior versions and asymmetric carrier delay is configured on the interface, the show running-config command may display carrier-delay msec 0. This issue is fixed in Cisco IOS 15.0(1)S and further releases.


Configuring Asymmetric Carrier Delay

Perform these steps to configure asymmetric carrier delay.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type/ slot/port

4. carrier-delay [{ up | down } [seconds]{ msec | sec }]

5. end

DETAILED STEPS

Command or Action
Purpose

Step 1

enable

 

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface type/ slot/port

 

Router(config)# interface gigabit ethernet 8/0/14

Selects the main interface to configure.

Step 4

carrier-delay [{up | down} [seconds]{msec| sec}]

 

Router(config-if)# carrier-delay up 300

Router(config-if)# carrier-delay down 10

Configures the asymmetric carrier-delay up or down value in milliseconds or seconds.

Step 5

end

Router(config-if)# end

Exits the configuration mode.

Verification

You can use the show run command to display the carrier-delay configurations on an ES+ physical interface. The first example shows asymmetric carrier-delay configuration and the second example shows symmetric carrier delay configuration.

Router# show running-config interface GigabitEthernet 8/0/4
Building configuration...
Current configuration:
!
interface GigabitEthernet8/0/4
no ip address
carrier-delay up 300
carrier-delay down 10
shutdown
 
Router# show running-config interface GigabitEthernet 2/0/1
Building configuration...
Current configuration:
!
interface GigabitEthernet2/0/1
no ip address
carrier-delay msec 10
shutdown

Manual Load Balancing for EVC over Port-Channel/LACP

The Manual Load Balancing for EVC over Port-Channel/LACP feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.

If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.

This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.

Restrictions and Usage Guidelines

When configuring Manual Load Balancing for EVC over Port-Channel/LACP, follow these guidelines and restrictions:

  • When the user configures a link ID for a port-channel member link and configures that member link as the preferred egress link for some service instances in that port-channel, there is redistribution of traffic. The redistribution is such that:

Service instances that were configured to be sent over the preferred egress member link is sent over the preferred member link. This is expected behavior.

Redistribution of traffic for which the user has not configured preferred member link happens. The way this redistribution happens is as follows:

For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,

Member 1—Load share bit 0, Member 2—Load share bit 1,

Member 3—Load share bit 2, Member 4—Load share bit 3,

Member 5—Load share bit 4, Member 6—Load share bit 5,

Member 6—Load share bit 6, Member 7—Load share bit 7.

Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,

Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)

Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.

The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.

Configuring Manual Load Balancing for EVC over Port-Channel/LACP

This section describes how to configure manual load balancing for EVC over Port-Channel/LACP.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. channel-group channel-group-number mode {active | on | passive} link id

5. exit

6. interface port-channel number

7. [no] service instance id {Ethernet [service-name]}

8. encapsulation dot1q vlan-id [second-dot1q vlan-id]

9. exit

10. exit

11. interface port-channel number

12. [no] port-channel load-balance link ID

13. [no] backup link ID_list

14. [no] service-instance service_instance_list

15. [no] group service_group_list

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 4

channel-group channel-group-number mode {active | on | passive} link id

 

Router(config-if)# channel-group 2 mode on link 3

Assigns and configures an EtherChannel interface to an EtherChannel group.

Step 5

exit

 

Router(config-if)# exit

Exits the current configuration mode.

Step 6

interface port-channel number

 

Router(config)# interface port-channel 11

Creates the port-channel interface.

Step 7

[no] service instance id {Ethernet [service-name]}

 

Router(config-if)# service instance 101 ethernet

Creates a service instance (an instantiation of a service instance) on an interface and sets the device into the config-if-srv submode.

Step 8

encapsulation dot1q vlan-id [second-dot1q vlan-id]

 

Router(config-if-srv)# encapsulation dot1q 10

Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.

Step 9

exit

 

Router(config-if-srv)# exit

Exits the current configuration mode.

Step 10

exit

 

Router(config-if)# exit

Exits the current configuration mode.

Step 11

interface port-channel number

 

Router(config)# interface port-channel 11

Creates the port-channel interface.

Step 12

[no] port-channel load-balance link ID

 

Router(config-if)# port-channel load-balance link 3

Configures the specified member link interfaces for load-balancing the port-channel's egress traffic and enters the load-balancing configuration submode.

Step 13

[no] backup link ID_list

 

Router(config-if-lb)# backup link 7

Configures a list of member links to use as backup for the primary load-balancing member link.

You can create multiple backup links using the backup link command. The backup links are used in order of configuration if a Port-channel member is down. A default platform algorithm is used to find the backup links if all the configured backup links are down.

Step 14

[no] service-instance service_instance_list

 

Router(config-if-lb)# service-instance 10

Defines the set of service Ethernet instances whose traffic should egress over the member link identified by configuration in Step 12.

Step 15

[no] group service_group_list

 

Router(config-if-lb)# group 10

Defines the Ethernet service groups that will be load-balanced over an interface.

Example

The following example shows four member links across two different channel-groups:

Router(config)# interface Gi0/1
Router(config-if)# channel-group 1 mode on link 3
 
Router(config)# interface Gi0/2
Router(config-if)# channel-group 1 mode on link 4
 
Router(config)# interface Gi0/3
Router(config-if)# channel-group 2 mode on link 3
 
Router(config)# interface Gi0/4
Router(config-if)# channel-group 2 mode on link 7
 
Router(config)# interface Port-channel1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if-srv)# service instance 20 ethernet
Router(config-if-srv)# encapsulation dot1Q 20
Router(config-if-srv)# service instance 60 ethernet
Router(config-if-srv)# group 10
Router(config-if-srv)# service instance 70 ethernet
Router(config-if-srv)# group 10
 

Additional service instance definitions follow:

Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 4
Router(config-if-lb)# service-instance 10,20-22
Router(config-if)# port-channel load-balance link 4
Router(config-if-lb)# service-instance 30-40
Router(config-if-lb)# group 10
 
Router(config)# interface Port-channel2
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 7
Router(config-if-lb)# service-instance 10

Verification

Use the following commands to verify operation.

 

Table 4-23 Commands for Displaying Traffic Storm Control Status and Configuration

Command
Purpose

Router# show ethernet service instance interface interface load-balance

Displays the current egress member-link assignments for service instances configured with port-channel load-balancing.

Router# show ethernet service instance id efp interface port-channel group detail

Displays detailed status for the specified service instance, including the egress member-link assignment, if any.

EVC Port Channel Per Flow Load Balancing

EVC port channel per flow load balancing is implemented to load balance traffic across member links of a port channel when EVCs are configured. If this type of load balancing is not configured, EVCs configured on a port channel are statically mapped to one of the active port-channel member links, which results in the outgoing traffic being limited to the bandwidth of the member link.

In a flow based load balancing on EVC port channel, different flows of traffic over an EVC interface are identified based on the data packet header. For example, the source and destination address of the data packet can be used to identify a flow. The various data traffic flows are then mapped to the different member links of a port channel. After the mapping is complete, the data traffic is transmitted through the assigned member link. The flow mapping is dynamic and changes when there is any change in the state of a member link to which a flow is assigned. The flow mappings can also change if member links are added or removed from the EVC interface. Multiple flows can be mapped to each member link.

Table 4-24 lists the ACL support for EVC port channel with per-flow load balancing.

Table 4-24 ACL Support for Port Channel Per-flow Load Balancing

ACL Type
Ingress Support
Egress Support

Layer 2

Yes

No

Layer 3 and Layer 4

Yes

Yes

Ingress ACLs are internally configured on every member interface because the traffic can enter any of the member links. Therefore, the load balancing algorithm does not change the way the ingress ACLs behave.

When per-flow load balancing is configured on the port-channel, traffic for an EVC can exit from any of the member links. Therefore, with the per-flow load balancing feature enabled on the port channel, the egress ACL is internally configured on each of the member links in the egress direction. When the per-flow load balancing configuration is removed from the port-channel interface, the egress ACL information is internally removed from each active member link, and configured on the member selected by the load balancing algorithm.

Restrictions

Following restrictions apply for EVC port channel per flow load balancing:

  • When flow-based load balancing is configured, bandwidth of the port channel should be configured such that it is equal to the member link’s port bandwidth. Use the bandwidth bandwidth_value command in the port-channel interface.
  • EVC port channel per flow load balancing is supported over connect and cross connect.
  • EVC port channel per flow load balancing is not supported over a bridge domain.
  • Flow based load balancing cannot co-exist with other load balancing schemes.
  • If you configure QoS on a EVC port channel, QoS policies are installed on each port channel member link with the same QoS configuration of the EVC port channel. For example, if you configure 1 Mbps bandwidth on a EVC port channel with four active member links, 1 Mbps is configured on each member link.
  • If EVCs within a port-channel interface are part of a service group with EVCs and sub interfaces configured, you cannot remove the flow-based load balancing configuration.
  • EVC port channel per flow load balancing is done on MAC source and destination, and VC label.

Configuring EVC Port Channel Per Flow Load Balancing

This section describes how to configure flow based load balancing on EVC port channel.

Summary Steps

1. enable

2. configure terminal

3. interface port-channel channel-number

4. port-channel load-balance flow-based

5. end

Detailed Steps

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface port-channel channel-number

 

Router(config)# interface port-channel 1

Creates the port-channel interface.

Step 4

port-channel load-balance flow-based

 

Router(config-if)# port-channel load-balance flow-based

Configures the specified port-channel interface in flow based load-balancing mode.

Step 5

end

 

Exits the configuration mode.

Example

This example shows configuring flow based load balancing on a port channel interface.

Router# enable
Router# configure terminal
Router(config)# interface Port-channel 1
Router(config-if)# bandwidth 1000000

Router(config-if)# port-channel load-balance flow-based

Router(config-if)# end

Verification

Use the show running-config interface port-channel channel-number command to verify the EVC port channel per flow load balancing configuration.

Router# enable
Router# configure terminal
Router(config)# interface Port-channel 2

Router(config-if)# port-channel load-balance flow-based

Router(config-if)# bandwidth 1000000

Router(config-if)# end

Router# show running-config interface Port-channel 2

Building configuration...

Current configuration : 113 bytes

!

interface Port-channel2

band width 1000000

no ip address

port-channel load-balance flow-based

end

Configuring Layer 3 and Layer 4 ACLs

This section describes how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per flow load balancing.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel channel-number

4. mtu bytes

5. no ip address

6. port-channel load-balance flow-based

7. service instance id ethernet [evc-name]

8. encapsulation dot1q vlan-id

9. ip access-group { access-list-name | access-list-number } { in | out }

10. xconnect peer-ip-address vc-id { encapsulation mpls }

11. end

DETAILED STEPS

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

interface port-channel channel-number

 

Router(config)# interface port-channel 4

Creates the port-channel interface.

Step 4

mtu bytes

 

Router(config-if)# mtu 9216

Specifies the maximum transmission unit (MTU) size.

Step 5

no ip address

 

Router(config-if)# no ip address

Disables IP adress processing.

Step 6

port-channel load-balance flow-based

 

Router(config-if)# port-channel load-balance flow-based

Configures the specified port-channel interface in a flow based load-balancing mode.

Step 7

service instance id ethernet [evc-name]

 

Router(config-if)#service instance 2 ethernet

Configures an ethernet service instance on an interface and enters ethernet service configuration mode.

Step 8

encapsulation dot1q vlan-id

 

Router(config-if-srv)#encapsulation dot1q 2

Enables IEEE 802.1Q encapsulation of traffic on the specified subinterface in a VLAN.

Step 9

ip access-group { access-list-name | access-list-number } { in | out }

 

Router(config-if-srv)#ip access-group acl3 out

Applies the IP access list to the interface.

Step 10

xconnect peer-ip-address vc-id { encapsulation mpls }

 

Router(config-if-srv)#xconnect 2.2.2.2 2 encapsulation mpls

Binds an attachment circuit to a pseudowire.

Step 11

end

 

Exits the service instance configuration mode.

Configuration Examples

This example shows how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per flow load balancing.

Router# enable
Router# configure terminal
Router(config)# interface port-channel 4
Router(config-if)# mtu 9216
Router(config-if)# no ip address
Router(config-if)# port-channel load-balance flow-based
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# ip access-group acl3 out
Router(config-if-srv)# xconnect 2.2.2.2 2 encapsulation mpls
Router(config-if-srv)# end

Verification

Use the show ip access-lists access-list-name command to list the ACL configuration.

Router# show ip access-lists acl3
Extended IP access list acl3
10 permit tcp any eq 1003 any eq 5003
 

Use the show ethernet service instance id id command to display information about ethernet customer service instances.

Router# show ethernet service instance id 3
 
interface port-channel 4 stats Port maximum number of service instances: 8000 Service Instance 3, Interface Port-channel4
Pkts In Bytes In Pkts Out Bytes Out
0 0 14359328 1794916000
SACL permit out count: 14362672
SACL deny out count: 504376

 

Multichassis Support for LACP

Configured at the edge of a provider's network, Multichassis Link Aggregation Control Protocol (MLACP) features performs the following actions:

  • Dual-homed devices (DHD) to provide network redundancy between two or more service provider networks.
  • Allows the LACP state machine and protocol to operate in a dual- homed mode.

Each switch is a point of attachments (PoA), where one PoA is active, and the other is a standby, and the active PoA executes the multichassis link aggregation group with a DHD. A virtual LACP peer on the PoA is created giving the impression that a DHD is connected to one node.

Figure 4-5 shows the placement of PoAs and DHDs in an MLACP configuration.

 

Figure 4-5 Placement of PoAs and DHDs in an MLACP Implementation

 

The status of the PoAs during traffic relay are:

  • The two PoAs form a redundancy group, and only one of the PoAs is active at any given time.
  • Only two PoAs form a redundancy group; however, you can configure a maximum of 50 redundancy groups connecting to other DHDs.
  • Active links exist only between a DHD and active PoAs. None of the links between the DHD and the standby PoA relay traffic other than Bridge Protocol Data Unit (BPDU)s.
  • The state of the etherchannel interface on a standby PoA is UP.

A switchover from an active PoA to a standby PoA occurs when there is a failure on the:

  • Uplink port on the DHD
  • Downlink port on an active PoA
  • Active PoA node
  • Active PoA uplinks

The default switchover mechanism uses dynamic port priority changes on the port channel and member link(s) to provide revertive mode and nonrevertive mode options. The default operation in a multi- chassis LACP is revertive.

Bruteforce is a switchover mechanism where the member link is in a err-disable state after a switchover. To recover the port channel and enable the member link on a new standby PoA, use the err disable recovery cause mlacp-minlink command in the global configuration mode.

Use the lacp max-bundle command on all the PoAs to operate in the PoA control and shared control modes. The max-bundle value argument should not be less than the total number of links in the Link Aggregation Group (LAG) that are connected to the PoA. Each PoA may be connected to the DHD with a different number of links for the LAG and, therefore, configured with a different value for the max-bundle value argument.


Note The lacp failover brute-force command cannot be used with a nonrevertive configuration.


Requirements and Restrictions

Follow these requirements and restrictions when configuring the MLACP feature in a ES40 line card:

  • Supported only on ES20 and ES40 line cards, all member links on a port-channel should be on same type of line card.
  • Cisco IOS Release 12.2(33)SRE supports service instances only on an MLACP port-channel.
  • A PoA may be active for one port-channel, and standby for a different port-channel.
  • The maximum number of port-channels supported on a PoA is 256.
  • In any LACP configuration, ensure that the numerical value of the system-priority of the virtual LACP instance on the PoAs is lower (higher priority) than that on the DHD for all control variants.
  • It is not recommended to configure different max bundle configurations on a PoA. For example, if DHD 1 to PoA has 4 links, PoA2 should also have 4 links.
  • Links can be successfully aggregated based on the following constraints:

Links should be from the same line card type.

QoS should be validated.

Port-channel hashing should be identical for two links.

Flowcontrol should match.

  • When Cisco 7600 routers are used to form a redundancy group within a PoA, the member links should adhere to the constraints listed in the previous paragraph. These constraints are not validated across PoAs and you should ensure that configuration between the two PoAs are identical.
  • Ensure that the etherchannel usage configuration is identical on the two PoAs.
  • The maximum bundle value on a PoA is 8.
  • A maximum of two PoAs in a redundancy group and 50 redundancy groups per node are supported.
  • Multiple Spanning Tree (MST) on an EVC is not supported on MLACP etherchannel ports.
  • Reverse Layer 2 Gateway Protocol (RL2GP) with MLACP is not supported.
  • DHD port-channel cannot use Spanning Tree Protocol (STP) or Resilient Ethernet Protocol (REP) or Reverse Layer 2 Gateway Protocol (RL2GP) as a redundancy option. DHD port-channel disables the STP enabled by default.
  • Subinterfaces on port-channels are not supported.
  • You can configure the channel-group command as active and configuring the channel-group command as passive is not supported.
  • As the lacp direct-loadswap command is not applicable on a PoA, member links on a PoA are not protected with links on the same PoA.
  • We do not recommend you to have different bundle configurations on a DHD. For example, if DHD 1 to PoA1 has four links, DHD 1 to PoA 2 should also have the same number of links.
  • Use the port-channel min-link command to configure each PoA with the minimum number of links. This maintains the LAG in an active state.
  • The lacp max-bundle command must be used on all the PoAs to operate in PoA control and shared control modes. The value of the max-bundle should not be less than the total number of interfaces in the LAG that are connected to the PoA.
  • If you use the lacp failover command with brute force, then after the switchover, the port-channel member link moves to a errdisabled state.By default, the interval is 300 seconds (tunable range is 30 seconds to 300 seconds).To recover the port-channel, use the errdisable recovery cause mlacp-minlink command. EVC with connect as forwarding function is not supported.
  • The lacp failover non-revertive and lacp failover brute-force commands are mutually exclusive within the same port-channel.
  • Connectivity Fault Management configuration on an MLACP port-channel is not permissible.
  • For best switchover performance, configure LACP fast-switchover in PoAs and DHDs.
  • You cannot use MLACP port-channel for IP forwarding.
  • You cannot configure REP on a MLACP port-channel.
  • Use the errdisable recovery cause mlacp-minlink command to auto-recover the port-channel after timer expiration.
  • The core interfaces in a VPLS core should be a ES20 or ES40 line card.
  • When switching to MLACP mode from P-MLACP mode, ensure that you:

Enable max bundle configuration to have MLACP active or standby.

Shutdown interface on both PoA to avoid any possible traffic loop.

The recommended configuration sequence is:

  • Configure interchassis group and MLACP commands.
  • Configure MLACP interchassis group and other port-channel commands.
  • Add member links.

Note While configuring MLACP, both the active and standby PoAs need to have the same Label Distribution Protocol (LDP) router ID for the proper operation of LACP. Use the mpls ldp router-id loopback_interface force command to configure MPLS LDP after the loopback interface is created.


SUMMARY STEPS

1. enable

2. configure terminal

3. redundancy

4. interchassis group {number}

5. monitor peer {BFD}

6. member IP {IP address}

7. mlacp node-id {number}

8. mlacp system-mac {IP address}

9. mlacp system-priority priority

10. backbone interface any interface

11. exit

12. interface port-channel {port-channel number}

13. lacp max-bundle {max-bundle value}

14. lacp failover { non-revertive| brute force }

15. mlacp interchassis group {group-id}

16. backbone int member

17. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

redundancy

 

Router(config)# redundancy

Enters redundancy configuration mode.

Step 4

interchassis group {number}

 

Router(configure-red)# interchassis group 400

Configures an interchassis group within the redundancy configuration mode and assigns a group number.

Step 5

monitor peer {BFD}

 

Router(configure-red)#

Configures the BFD option to monitor the state of the peer. The default option is route-watch.

Step 6

member ip {IP address}

 

Router(configure-red)# member ip 172.3.3.3

Configures the IP address of the mlacp peer member group.

Step 7

mlacp node-id {number}

 

Router(config-r-ic)# mlacp node-id 5

Defines the node ID to be used in the LACP port-id field. Valid value range is 0 - 7, and the value should be different from the peer values.

Step 8

mlacp system-mac {address}

 

Router(config-r-ic)# mlacp aaaa.aaaa.aaab

Defines and advertises the system MAC address value to the MLACP members of the redundancy group.

Step 9

mlacp system-priority priority

 

Router(config-r-ic)# mlacp system-priority 100

Defines the system priority advertised to the other MLACP members of the redundancy group. System priority values are from 1 to 65535, the default value being 32768. The assigned values should be lower than the DHD.

Step 10

backbone interface any interface

 

Router(config-r-ic)# backbone interface GigabitEthernet2/3

Defines the backbone interface for the MLACP configuration.

Step 11

exit

Exits the redundancy mode.

Step 12

interface port-channel {port-channel number}

 

Router# interface Port-channel1

To identify the PoA uplink failure, configure the port- channel interface or any physical interface.

Step 13

lacp max-bundl e {max-bundle value}

 

Router (config-int)# lacp max-bundle 4

Configures the max-bundle links that are connected to the PoA. The value of the max-bundle links argument should not be less than the total number of links in the LAG that are connected to the PoA.

Step 14

lacp failover { non-revertive| brute force}

 

P19_C7609-S(config-if)#lacp failover ?

brute-force Brute force interface failover

non-revertive Non revertive interface failover

Sets the MLACP switchover to nonrevertive or brute force. Default value is revertive. If you configure brute force, a minimum link or last link failure for every MLACP failure occurs or the dynamic lag priority value is modified.

Step 15

mlacp interchassis group {group-id}

 

Router(config-red)#interchassis group 230

Specifies that the port-channel is an MLACP port-channel. The group-id should match the configured redundancy group.

Step 16

backbone int member

 

Router(config-r-ic)# mlacp 5

Sets the backbone interface member.

Step 17

exit

Exits the port-channel interface mode.

Examples

The following is a configuration example for Virtual Private Wire Services (VPWS):

ACTIVE POA

redundancy
interchassis group 100
monitor peer bfd
member ip 172.3.3.3
backbone interface GigabitEthernet2/3
backbone interface GigabitEthernet2/4
mlacp system-priority 200
mlacp node-id 0
!
interface Port-channel1
no ip address
load-interval 30
speed nonegotiate
port-channel min-links 4
lacp failover brute-force
lacp fast-switchover
lacp max-bundle 4
mlacp lag-priority 28000
mlacp interchassis group 100
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 172.2.2.2 2 pw-class mlacp
backup peer 172.4.4.4 2 pw-class mlacp
!
pseudowire-class mlacp
encapsulation mpls
status peer topology dual-homed
 
mpls ldp graceful-restart
!
!
interface Loopback0
ip address 172.1.1.1 255.255.255.255
!
interface GigabitEthernet2/3
ip address 120.0.0.1 255.255.255.0
carrier-delay msec 0
mpls ip
bfd interval 100 min_rx 100 multiplier 3
!
interface GigabitEthernet2/9
no ip address
speed 1000
channel-group 1 mode active

Use the show lacp multi-chassis group command to display the interchassis redundancy group value and the operational LACP parameters.

MLACP-PE1# show lacp multi-chassis group 100
Interchassis Redundancy Group 100
Operational LACP Parameters:
RG State: Synchronized
System-Id: 200.000a.f331.2680
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 0
System-Id: 200.000a.f331.2680
 
Peer Information:
State: Up
Node-id: 7
System-Id: 2000.0014.6a8b.c680
ICCP Version: 0
 
State Flags: Active - A
Standby - S
Down - D
AdminDown - AD
Standby Reverting - SR
Unknown - U
mLACP Channel-groups
Channel State Priority Active Links Inactive Links
Group Local/Peer Local/Peer Local/Peer Local/Peer
1 A/S 28000/32768 4/4 0/0

Use the show lacp multi-chassis portchannel command to display the interface port-channel value

channel group, LAG state, priority, inactive links peer configuration, and standby links.

MLACP-PE1# show lacp multi-chassis port-channel 1
Interface Port-channel1
Local Configuration:
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Total Active Links: 4
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0
 
Peer Configuration:
Interface: Port-channel1
Address: 0014.6a8b.c680
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Total Active Links: 4
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0

Use the show mpls ldp iccp command to display the LDP session and ICCP state information.

MLACP-PE1# show mpls ldp iccp
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
ldp_session 0x3, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM RGID Table total ICCP sessions: 1
ICPM LDP Session Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
ldp_session 0x3, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM LDP Session Table total ICCP sessions: 1

Use the show mpls l2transport command to display the local interface and session details, destination address, and status.

MLACP-PE1# show mpls l2transport vc 2
 
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Po1 Eth VLAN 2 172.2.2.2 2 UP
Po1 Eth VLAN 2 172.4.4.4 2 STANDBY
 

Use the show etherchannel summary command to display the status and identity of the MLACP member links.

MLACP-PE1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
 
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
 
 
Number of channel-groups in use: 2
Number of aggregators: 2
 
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(RU) LACP Gi2/9(P) Gi2/20(P) Gi2/31(P)

Use the show lacp internal command to display the device, port, and member- link information.

MLACP-PE1# show lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi2/9 SA bndl-act 28000 0x1 0x1 0x820A 0x3D
Gi2/20 SA bndl-act 28000 0x1 0x1 0x8215 0x3D
Gi2/31 SA bndl-act 28000 0x1 0x1 0x8220 0x3D
Gi2/40 SA bndl-act 28000 0x1 0x1 0x8229 0x3D
 
Peer (MLACP-PE3) mLACP member links
 
Gi3/11 FA hot-sby 32768 0x1 0x1 0xF30C 0x5
Gi3/21 FA hot-sby 32768 0x1 0x1 0xF316 0x5
Gi3/32 FA hot-sby 32768 0x1 0x1 0xF321 0x7
Gi3/2 FA hot-sby 32768 0x1 0x1 0xF303 0x7
 

POA2

redundancy
interchassis group 100
monitor peer bfd
member ip 172.1.1.1
backbone interface GigabitEthernet3/3
backbone interface GigabitEthernet3/5
mlacp system-priority 2000
mlacp node-id 7
!
interface Port-channel1
no ip address
load-interval 30
speed nonegotiate
port-channel min-links 4
lacp failover brute-force
lacp fast-switchover
lacp max-bundle 4
mlacp interchassis group 100
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 172.2.2.2 2 pw-class mlacp
backup peer 172.4.4.4 2 pw-class mlacp
!
pseudowire-class mlacp
encapsulation mpls
status peer topology dual-homed
 
mpls ldp graceful-restart
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.255
!
interface GigabitEthernet3/2
channel-group 1 mode active
!
interface GigabitEthernet3/3
ip address 123.0.0.2 255.255.255.0
mpls ip
mpls label protocol ldp
bfd interval 100 min_rx 100 multiplier 3
!

Use the show lacp multi-chassis group command to display the LACP parameters, local configuration, status of the backbone uplink, peer information, node ID, channel, state, priority active, and inactive links.

MLACP-PE3# show lacp multi-chassis group 100
Interchassis Redundancy Group 100
Operational LACP Parameters:
RG State: Synchronized
System-Id: 200.000a.f331.2680
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 7
System-Id: 2000.0014.6a8b.c680
 
Peer Information:
State: Up
Node-id: 0
System-Id: 200.000a.f331.2680
ICCP Version: 0
 
State Flags: Active - A
Standby - S
Down - D
AdminDown - AD
Standby Reverting - SR
Unknown - U
mLACP Channel-groups
Channel State Priority Active Links Inactive Links
Group Local/Peer Local/Peer Local/Peer Local/Peer
1 S/A 32768/28000 4/4 0/0

Use the show lacp multi-chassis portchannel command to display the interface port-channel value channel group, LAG state, priority, inactive links peer configuration, and standby links.

MLACP-PE3# show lacp multi-chassis port-channel 1
Interface Port-channel1
Local Configuration:
Address: 0014.6a8b.c680
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Total Active Links: 4
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0
 
Peer Configuration:
Interface: Port-channel1
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Total Active Links: 4
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0

Use the show mpls ldp iccp command to display the LDP session and ICCP state information.

MLACP-PE3# show mpls ldp iccp
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
ldp_session 0x2, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM RGID Table total ICCP sessions: 1
ICPM LDP Session Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
ldp_session 0x2, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM LDP Session Table total ICCP sessions: 1
 
MLACP-PE3# sh mpls l2transport vc 2
 
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Po1 Eth VLAN 2 172.2.2.2 2 STANDBY
Po1 Eth VLAN 2 172.4.4.4 2 STANDBY
 

Use the show etherchannel summary command to display the status and identity of the MLACP member links.

MLACP-PE3# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
 
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
 
 
Number of channel-groups in use: 2
Number of aggregators: 2
 
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(RU) LACP Gi3/2(P) Gi3/11(P) Gi3/21(P)
Gi3/32(P)

Use the show lacp internal command to display the device, port, and member- link information.

MLACP-PE3# show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/2 FA bndl-sby 32768 0x1 0x1 0xF303 0x7
Gi3/11 FA bndl-sby 32768 0x1 0x1 0xF30C 0x5
Gi3/21 FA bndl-sby 32768 0x1 0x1 0xF316 0x5
Gi3/32 FA bndl-sby 32768 0x1 0x1 0xF321 0x7
 
Peer (MLACP-PE1) mLACP member links
 
Gi2/20 SA bndl 28000 0x1 0x1 0x8215 0x3D
Gi2/31 SA bndl 28000 0x1 0x1 0x8220 0x3D
Gi2/40 SA bndl 28000 0x1 0x1 0x8229 0x3D
Gi2/9 SA bndl 28000 0x1 0x1 0x820A 0x3D
MLACP-PE3#
 

 

The following is a configuration example for a Virtual Private Lan Service (VPLS):

Active POA

 
redundancy
interchassis group 100
monitor peer bfd
member ip 172.3.3.3
backbone interface GigabitEthernet2/3
backbone interface GigabitEthernet2/4
mlacp system-priority 200
mlacp node-id 0
!
interface Port-channel1
no ip address
speed nonegotiate
port-channel min-links 2
lacp fast-switchover
lacp max-bundle 4
mlacp lag-priority 28800
mlacp interchassis group 100
service instance 4000 ethernet
encapsulation dot1q 4000
rewrite ingress tag pop 1 symmetric
bridge-domain 4000
!
l2 vfi VPLS manual
vpn id 4000
neighbor 172.2.2.2 encapsulation mpls
neighbor 172.4.4.4 encapsulation mpls
status decoupled
!
interface Vlan4000
xconnect vfi VPLS
!
mpls ldp graceful-restart
!
interface Loopback0
ip address 172.1.1.1 255.255.255.255
!
interface GigabitEthernet2/3
ip address 120.0.0.1 255.255.255.0
carrier-delay 0
mpls ip
bfd interval 100 min_rx 100 multiplier 3
!
interface GigabitEthernet2/9
channel-group 1 mode active
!

Use the show lacp mg command to display the LACP parameters, local configuration, status of the

backbone uplink, peer information, node ID, channel, state, priority active, and inactive links.

MLACP-PE1# show lacp multi-chassis group 100
Interchassis Redundancy Group 100
 
Operational LACP Parameters:
RG State: Synchronized
System-Id: 200.000a.f331.2680
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 0
System-Id: 200.000a.f331.2680
 
Peer Information:
State: Up
Node-id: 7
System-Id: 2000.0014.6a8b.c680
ICCP Version: 0
 
State Flags: Active - A
Standby - S
Down - D
AdminDown - AD
Standby Reverting - SR
Unknown - U
mLACP Channel-groups
Channel State Priority Active Links Inactive Links
Group Local/Peer Local/Peer Local/Peer Local/Peer
1 A/S 28000/32768 4/4 0/0

Use the show lacp multi-chassis portchannel command to display the interface port-channel value

channel group, LAG state, priority, inactive links peer configuration, and standby links.

MLACP-PE1# show lacp multi-chassis port-channel 1
Interface Port-channel1
Local Configuration:
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Total Active Links: 4
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0
 
Peer Configuration:
Interface: Port-channel1
Address: 0014.6a8b.c680
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Total Active Links: 4
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0

Use the show mpls ldp iccp command to display the LDP session and ICCP state information.

MLACP-PE1# show mpls ldp iccp
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
ldp_session 0x3, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM RGID Table total ICCP sessions: 1
ICPM LDP Session Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
ldp_session 0x3, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM LDP Session Table total ICCP sessions: 1
 

Use the show mpls l2transport command to display the local interface and session details, destination address, and the status.

MLACP-PE1# show mpls l2transport vc 4000
 
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
VFI VPLS VFI 172.2.2.2 4000 UP
VFI VPLS VFI 172.4.4.4 4000 UP

 

Use the show etherchannel summary command to display the status and identity of the MLACP member links.

MLACP-PE1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
 
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
 
 
Number of channel-groups in use: 2
Number of aggregators: 2
 
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(RU) LACP Gi2/9(P) Gi2/20(P) Gi2/31(P)
Gi2/40(P)

Use the show lacp internal command to display the device, port, and member-link information.

MLACP-PE1# show lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi2/9 SA bndl-act 28000 0x1 0x1 0x820A 0x3D
Gi2/20 SA bndl-act 28000 0x1 0x1 0x8215 0x3D
Gi2/31 SA bndl-act 28000 0x1 0x1 0x8220 0x3D
Gi2/40 SA bndl-act 28000 0x1 0x1 0x8229 0x3D
 
Peer (MLACP-PE3) mLACP member links
 
Gi3/11 FA hot-sby 32768 0x1 0x1 0xF30C 0x5
Gi3/21 FA hot-sby 32768 0x1 0x1 0xF316 0x5
Gi3/32 FA hot-sby 32768 0x1 0x1 0xF321 0x7
Gi3/2 FA hot-sby 32768 0x1 0x1 0xF303 0x7
 

Configuration example on a standby PoA:

redundancy
interchassis group 100
monitor peer bfd
member ip 172.1.1.1
backbone interface GigabitEthernet3/3
backbone interface GigabitEthernet3/5
mlacp system-priority 2000
mlacp node-id 7
!
interface Port-channel1
no ip address
speed nonegotiate
port-channel min-links 2
lacp fast-switchover
lacp max-bundle 4
mlacp lag-priority 28800
mlacp interchassis group 100
service instance 4000 ethernet
encapsulation dot1q 4000
rewrite ingress tag pop 1 symmetric
bridge-domain 4000
!
l2 vfi VPLS manual
vpn id 4000
neighbor 172.2.2.2 encapsulation mpls
neighbor 172.4.4.4 encapsulation mpls
status decoupled
!
interface Vlan4000
xconnect vfi VPLS
!
mpls ldp graceful-restart
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.255
!
interface GigabitEthernet3/2
channel-group 1 mode active
!
interface GigabitEthernet3/3
ip address 123.0.0.2 255.255.255.0
mpls ip
mpls label protocol ldp
bfd interval 100 min_rx 100 multiplier 3
!

Use the show lacp multi-chassis group interchassis group number command to display the LACP parameters, local configuration, status of the backbone uplink, peer information, nodeID, channel, state, priority, active, and inactive links.

MLACP-PE3# show lacp multi-chassis group 100
Interchassis Redundancy Group 100
 
Operational LACP Parameters:
RG State: Synchronized
System-Id: 200.000a.f331.2680
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 7
System-Id: 2000.0014.6a8b.c680
 
Peer Information:
State: Up
Node-id: 0
System-Id: 200.000a.f331.2680
ICCP Version: 0
 
State Flags: Active - A
Standby - S
Down - D
AdminDown - AD
Standby Reverting - SR
Unknown - U
mLACP Channel-groups
Channel State Priority Active Links Inactive Links
Group Local/Peer Local/Peer Local/Peer Local/Peer
1 S/A 32768/28000 4/4 0/0
 

Use the show lacp multi-chassis portchannel command to display the interface port-channel value

channel group, LAG state, priority, inactive links peer configuration, and standby links.

MLACP-PE3# show lacp multi-chassis port-channel 1
Interface Port-channel1
Local Configuration:
Address: 0014.6a8b.c680
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Total Active Links: 4
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0
 
Peer Configuration:
Interface: Port-channel1
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Total Active Links: 4
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0
 
MLACP-PE3# show mpls ldp iccp
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
ldp_session 0x2, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM RGID Table total ICCP sessions: 1
ICPM LDP Session Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
ldp_session 0x2, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM LDP Session Table total ICCP sessions: 1
 
MLACP-PE3# sh mpls l2transport vc 2
 
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
VFI VPLS VFI 172.2.2.2 4000 UP
VFI VPLS VFI 172.4.4.4 4000 UP
 

Use the show etherchannel summary command to display the status and identity of the MLACP member

links.

MLACP-PE3#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
 
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
 
Number of channel-groups in use: 2
Number of aggregators: 2
 
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(RU) LACP Gi3/2(P) Gi3/11(P) Gi3/21(P)
Gi3/32(P)

Use the show lacp internal command to display the device, port, and member- link information.

MLACP-PE3# show lacp 1 internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
 
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi3/2 FA bndl-sby 32768 0x1 0x1 0xF303 0x7
Gi3/11 FA bndl-sby 32768 0x1 0x1 0xF30C 0x5
Gi3/21 FA bndl-sby 32768 0x1 0x1 0xF316 0x5
Gi3/32 FA bndl-sby 32768 0x1 0x1 0xF321 0x7
 
Peer (MLACP-PE1) mLACP member links
 
Gi2/20 SA bndl 28000 0x1 0x1 0x8215 0x3D
Gi2/31 SA bndl 28000 0x1 0x1 0x8220 0x3D
Gi2/40 SA bndl 28000 0x1 0x1 0x8229 0x3D
Gi2/9 SA bndl 28000 0x1 0x1 0x820A 0x3D
MLACP-PE3#

Pseudo MLACP Support on Cisco 7600

In dual homing, a device is connected to the network using two independent access points or points of attachments (POAs). One POA is the primary connection and the other is a standby connection that is activated in the event of a failure of the primary connection. The Multi-chassis Link Aggregation Protocol (MLACP) solution is an active and standby Provider Edge (PE) redundancy mechanism. The Pseudo MLACP (PMLACP) feature introduced in Cisco IOS release 15.1(3)S, provides a flexible dual homing redundancy mechanism where both the connections are in the active mode (active-active mode). In PMLACP implementation, a PMLACP application is implemented on the PE router. Both the POA ports are placed in active mode with manual VLAN load balancing.

PMLACP provides higher bandwidth utilization than MLACP and other active and standby link level schemes. PMLACP provides VLAN based redundancy by allowing you to configure one primary and one secondary interface pair for each member VLAN. The POAs determine which POA is active and standby for each VLAN on a Multi-Chassis Link Aggregation (MLAG) and only the active POA forwards frames for the respective VLAN. Additionally PMLACP allows maximum flexibility for the PE-CE inter operability in terms of dual-homing redundancy and failover recovery.

Figure 4-6 explains the PMLACP implementation with manual VLAN load-balancing configuration.

Figure 4-6 PMLACP Implementation

In the illustration, POA ports are configured for a PMLACP role, and ports are configured in active-active mode with manual VLAN load-balancing. The POAs are configured to allow certain VLANs on one of their downlinks but not the other VLANs. The POA activates its uplinks for locally active VLANs. DHD is configured to enable all VLANs on both its uplinks. Traffic from DHD is initially flooded on both uplinks until DHD learns which uplink is active for which VLANs.

Failover Operations

The PMLACP feature provides network resiliency by protecting against port, link, and node failures.

Figure 4-7 explains the failure points in a network.

Figure 4-7 PMLACP Failover Protection

These failures can be categorized into five types.

  • A—Failure of the uplink port on the DHD
  • B—Failure of the ethernet link
  • C—Failure of the downlink port on the POA
  • D—Failure of the POA node
  • E—Failure of the active POA uplinks

The failover operations are triggered by three different events.

  • Access side link or port failure (failure types A- C): PMLACP on the failing POA initiates a failover to the peer for any VLANs that were active on the failed link or links. This failover is initiated by sending an MLACP port state Type Length Value (TLV) message, indicating that the port state is down.
  • Node failure (failure type D): PMLACP on the surviving POA receives a node failure notification and initiates a failover of all VLANs in standby mode on all shared MLAGs.
  • POA uplink failure (failure type E): The failing POA sends a message to the peer about the core isolation using the MLACP system state TLV, indicating that the POA is isolated. It will then place all VLANs in the blocking mode.

All the three failover events involve the peer POA receiving a notification of the failure. At this point the receiving standby POA completes the following steps:

1. Unblocks any of the affected VLANs which were in standby or blocked mode.

2. Sends a MAC flush message to the access side network device through a Multiple VLAN Registration Protocol (MVRP) message. This message reflects all the VLANs which are being activated only for the associated interface. When DHD receives the MVRP message, DHD responds by flushing the MAC address tables for those VLANs.

3. Triggers the core network edge MAC flushing.

Failure Recovery

PMLACP uses revertive mode after a failure recovery to support the active-active model. The reversal process is also similar to the failover process. The standby POA initates the reversal for each VLAN by indicating that the POA is relinquishing its active role for the VLAN. This is done though an ICCP PLACP interface state TLV message, which indicates that it is no longer in active mode for the affected VLANs. Upon TLV receipt, the recovering POA unblocks the affected VLANs and triggers the MAC flushes towards access side and core side.

Revertive mode is enabled by default. If you want to choose when to trigger reversion after the failover recovery, you can configure non revertive mode. The non revertive mode is enabled by configuring the command lacp failover non-revertive under port channel.

Restrictions for PMLACP on Cisco 7600

Follow this restrictions and usage guidelines while configuring PMLACP.

  • PMLACP is supported on ES+ and ES 20 line cards.
  • PMLACP is supported on SUP 720 and RSP 720.
  • PMLACP configuration on a port channel supports only service instances.
  • If PMLACP is enabled on a port channel, Resilient Ethernet Protocol (REP), Spanning Tree Protocol (STP), Link Aggregation Control Protocol (LACP), VLAN Trunking Protocol (VTP), or other layer 2 control protocols are not supported.
  • The ethernet VLAN color blocking needs to be configured on all VLANs under the port channel if it has EVC xconnect or MTP configured on it. Use the ethernet vlan color-block vlan all command for configuring it.
  • Both POAs must contain the same configuration of manual-load balance VLAN list and LAG.
  • The bridge-domain that is configured under a PMLACP port channel EVC should not be part of any other non PMLACP interfaces.
  • Only one port channel of MLACP or PMLACP type is supported on a single redundancy group (RG). There can be one MLACP port channel and another PMLACP port channel on a single RG, but not two port channels of the same type.
  • Active VLAN list configuration needs to be the same on both POAs.
  • The port-channel configuration on both POAs must be the same, but port-channel members need not be the same.
  • The recommended configuration sequence for PMLACP is:

Configure interchassis group and PMLACP commands.

Configure MLACP interchassis group and other port channel commands.

Add member links.

Configuring PMLACP on Cisco 7600

Complete the following steps to configure PMLACP on the Cisco 7600 router.

SUMMARY STEPS

1. enable

2. configure terminal

3. pseudowire-class pw-class-name

4. encapsulation mpls

5. status peer topology dual-homed

6. exit

7. l2 vfi name manual

8. vpn id vpn-id

9. neighbor remote-id encapsulation mpls

10. exit

11. redundancy

12. interchassis group number

13. monitor peer bfd

14. member IP IP-address

15. mlacp node-id number

16. mlacp system-priority priority

17. backbone interface interface

18. exit

19. interface port-channel port-channel number

20. no ip address

21. mlacp interchassis group group-id

22. mlacp mode active-active

23. mlacp load-balance primary vlan range

24. mlacp load-balance secondary vlan range

25. ethernet vlan color-block all

26. service instance id ethernet

27. encapsulation dot1q vlan id

28. rewrite ingress tag pop {1 | 2} symmetric

29. xconnect peer-id vc-id pw-class pw-class-name

or

brige-domain bridge-domain-id

30. backup peer peer-id vc-id pw-class pw-class-name

31. exit

32. interface vlan bridge-domain-id

33. xconnect vfi vfi-name

34. end

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router> enable

Enables privileged EXEC mode, and if prompted enter your password.

Step 2

configure terminal

 

Router# configure terminal

 

 

Enters global configuration mode.

Step 3

pseudowire-class pw-class-name

 

Router(config)# pseudowire-class vpws

Specifies the name of a pseudowire class and enters pseudowire class configuration mode.

Step 4

encapsulation mpls

 

Router(config-pw-class)# encapsulation mpls

Specifies that MPLS is used as the data encapsulation method for tunneling Layer 2 traffic over the pseudowire.

Step 5

status peer topology dual-homed

 

Router(config-pw-class)# status peer topology dual-homed

Enables the reflection of the attachment circuit status on both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a dual-homed device.

Step 6

exit

 

Router(config-pw-class)# exit

Exits pseudowire class configuration mode.

Step 7

l2 vfi name manual

 

Router(config)# l2 vfi vpls manual

Creates a named Layer 2 Virtual Forwarding Instance (VFI) and enables the Layer 2 VFI manual configuration mode.

Note Perform steps 7 to 10 only if you are configuring PMLACP over VPLS. Else go to step 11.

Step 8

vpn id vpn-id

 

Router(config-vfi)# vpn id 17

Configures a VPN ID for the VPLS domain.

Step 9

neighbor remote-id encapsulation mpls

 

Router(config-vfi)# neighbor 1.5.1.1 encapsulation mpls

Specifies the remote peering router ID, which is the IP address of the router, and the tunnel encapsulation type for the emulated VC.

Step 10

exit

 

Router(config-vfi)# exit

Exits the L2 VFI manual configuration mode.

Step 11

redundancy

 

Router(config)# redundancy

Enters redundancy configuration mode.

Step 12

interchassis group number

 

Router(configure-red)# interchassis group 100

Configures an interchassis group within the redundancy configuration mode and assigns a group number.

Step 13

monitor peer bfd

 

Router(configure-r-ic)# monitor peer bfd

Configures the BFD option to monitor the state of the peer.

Note The monitor peer bfd command is optional. If this command is not specified, the default option is route-watch.

Step 14

member ip IP-address

 

Router(configure-r-ic)# member ip 172.3.3.3

Configures the IP address of the MLACP peer member group.

Step 15

mlacp node-id node-id

 

Router(config-r-ic)# mlacp node-id 5

Specifies the node ID to be used in the LACP port-id field.

node-id — Valid range is 0 - 7, and the value should be different from the peer values.

Step 16

mlacp system-priority priority

 

Router(config-r-ic)# mlacp system-priority 100

Specifies the system priority advertised to the other MLACP members of the redundancy group.

priority — Acceptable range is 1 to 65535. The default value is 32768. The assigned values should be lower than the DHD.

Step 17

backbone interface interface

 

Router(config-r-ic)# backbone interface GigabitEthernet2/3

Specifies the backbone interface for the MLACP configuration.

Step 18

exit

 

Router(config-r-ic)# exit

Exits the redundancy mode.

Step 19

interface port-channel number

 

Router(config)# interface Port-channel 10

Specifies the port-channel interface.

Step 20

no ip address

 

Router(config-if)# no ip address

Removes the IP address from the interface.

Step 21

mlacp interchassis group group-id

 

Router(config-if)# mlacp interchassis group 100

Specifies that the port-channel is an MLACP port-channel. The group-id should match the configured redundancy group.

Step 22

mlacp mode active-active

 

Router(config-if)# mlacp mode active-active

Specifies the MLACP mode as active-active.

Step 23

mlacp load-balance primary vlan range

 

Router(config-if)# mlacp load-balance primary vlan 100-109

Specifies the primary VLAN range for manual load balancing.

range — Specifies the VLAN ID range. Values range from 1 to 4094.

Step 24

mlacp load-balance secondary vlan range

 

Router(config-if)# mlacp load-balance secondary vlan 110-120

Specifies the secondary VLAN range for manual load balancing.

Step 25

ethernet vlan color-block all

 

Router(config-if)# ethernet vlan color-block all

Blocks VLANs on EVCs with connect and cross-connect.

devices.

Note This configuration is required if EVC cross connect or MTP is used on the PMLACP port channel.

Step 26

service instance id ethernet

 

Router(config-if)# service instance 101 ethernet

Creates a service instance on an interface.

Step 27

encapsulation dot1q vlan-id

 

Router(config-if-srv)# encapsulation dot1q 100

Configures the encapsulation. Defines the matching criteria to be used in order to map the ingress dot1q frames on an interface to the appropriate service instance.

Step 28

rewrite ingress tag pop {1 | 2} symmetric

 

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Specifies the tag manipulation that is to be performed on the frame in ingress direction to the service instance.

Step 29

xconnect peer-id vc-id pseudowire-class pw-classname

or

brige-domain bridge-domain- id

 

Router(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpws

Binds the 802.1Q VLAN attachment circuit to a virtual circuit (VC).

Binds the attachment circuit to a pseudowire VC.

  • peer-id— specifies the IP address of the peer PE router.
  • vc-id — specifies the 32-bit value that identifies the VC between the peer PE routers at each endpoint of the VC. You must configure the same VC ID on the peer PE router.
  • pw-classname — Specifies the pseudowire class.

Note Use the bridge-domain command if you are configuring PMLACP on VPLS.

Step 30

backup peer peer-id vc-id pseudowire-class pw-classname

 

Router(config-if-srv)# backup peer 4.3.3.3 90 pseudowire-class vpws

Specifies a redundant peer for a pseudowire virtual circuit.

Step 31

exit

Exits from the interface configuration mode.

Step 32

interface vlan bridge-domain-id

 

Router(config-if)# interface vlan 201

Creates or accesses a dynamic switched virtual interface (SVI).

Note You need to perform steps 32 and 33 only if you are configuring VPLS.

Step 33

xconnect vfi vfi-name

 

Router(config-if)# xconnect vfi vpls

Specifies the Layer 2 VFI that you are binding to the VLAN port.

Step 34

end

 

Router(config-if)# end

Exits the port-channel interface mode.

Configuration Examples

This is a configuration example for PMLACP with EVC xconnect on two POAs, A and B. In this example primary VLAN range is configured as 100-109 on router A and 110-120 on router B. The VLAN range is interchanged so that the primary VLAN range of router A becomes the secondary VLAN range in router B and the secondary VLAN range of router A becomes the primary VLAN range in router B.

RouterA> enable
RouterA# configure terminal
RouterA(config)# pseudowire-class vpws
RouterA(config-pw-class)# encapsulation mpls
RouterA(config-pw-class)# status peer topology dual-homed
RouterA(config-pw-class)# exit
RouterA(config)# l2 vfi vpls manual
RouterA(config-vfi)# vpn id 100
RouterA(config-vfi)# neighbor 3.3.3.3 encapsulation mpls
RouterA(config-vfi)# exit
RouterA(config)# redundancy
RouterA(config-red)# interchassis group 100
RouterA(config-r-ic)# monitor peer bfd
RouterA(config-r-ic)# member ip 2.2.2.2
RouterA(config-r-ic)# backbone interface GigabitEthernet8/0/10
RouterA(config-r-ic)# mlacp system-priority 100
RouterA(config-r-ic)# mlacp node-id 1
Router(config)# interface Port-channel10
RouterA(config-if)# no ip address
RouterA(config-if)# mlacp interchassis group 100
RouterA(config-if)# mlacp mode active-active
RouterA(config-if)# mlacp load-balance primary vlan 100-109
RouterA(config-if)# mlacp load-balance secondary vlan 110-120
RouterA(config-if)# ethernet vlan color-block all
RouterA(config-if)# service instance 10 ethernet
RouterA(config-if-srv)# encapsulation dot1q 100
RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterA(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpws
RouterA(config-if-srv)# backup peer 4.3.3.3 91
RouterA(config-if)# service instance 11 ethernet
RouterA(config-if-srv)# encapsulation dot1q 101
RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterA(config-if-srv)# bridge-domain 201
RouterA(config-if-srv)# exit
RouterA(config-if)# exit
RouterA(config)# interface vlan 201

RouterA(config-if)# no shutdown

RouterA(config-if)# xconnect vfi vpls

RouterA(config-if)# end
 
 
RouterB> enable
RouterB# configure terminal
RouterB(config)# pseudowire-class vpws
RouterB(config-pw-class)# encapsulation mpls
RouterB(config-pw-class)# status peer topology dual-homed
RouterB(config-pw-class)# exit
RouterB(config)# l2 vfi vpls manual
RouterB(config-vfi)# vpn id 100
RouterB(config-vfi)# neighbor 3.3.3.3 encapsulation mpls
RouterB(config-vfi)# exit
RouterB(config)# redundancy
RouterB(config-red)# interchassis group 100
RouterB(config-r-ic)# monitor peer bfd
RouterB(config-r-ic)# member ip 1.1.1.1
RouterB(config-r-ic)# backbone interface GigabitEthernet8/0/10
RouterB(config-r-ic)# mlacp system-priority 100
RouterB(config-r-ic)# mlacp node-id 2
Router(config)# interface Port-channel 10
RouterB(config-if)# no ip address
RouterB(config-if)# mlacp interchassis group 100
RouterB(config-if)# mlacp mode active-active
RouterB(config-if)# mlacp load-balance primary vlan 110-120
RouterB(config-if)# mlacp load-balance secondary vlan 100-109
RouterB(config-if)# ethernet vlan color-block all
RouterB(config-if)# service instance 10 ethernet
RouterB(config-if-srv)# encapsulation dot1q 100
RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterB(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpws
RouterB(config-if-srv)# backup peer 4.3.3.3 91
RouterB(config-if)# service instance 11 ethernet
RouterB(config-if-srv)# encapsulation dot1q 101
RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterB(config-if-srv)# bridge-domain 201
RouterB(config-if-srv)# exit
RouterB(config-if)# exit
RouterB(config)# interface vlan 201
RouterB(config-if)# no shutdown

RouterB(config-if)# xconnect vfi vpls

RouterB(config-if)# end

Verification

Use the show lacp multi-chassis load-balance port-channel number command to verify the PMLACP configuration information on the port channel interface.

PE1# show lacp multi-chassis load-balance port-channel 10
Interface Port-Channel 10
Local Configuration:
P-mLACP Enabled: Yes
Redundancy Group: 100
Revertive Mode: Non-Revertive
Primary VLANs: 4001-4002,4004-4005,4007-4010
Secondary VLANs: 4012-4013,4015-4016,4018-4021
Local Interface State:
Interface ID: 10
Port State: Up
Primary VLAN State: Standby
Secondary VLAN State: Standby
Peer Interface State:
Interface ID: 10
Primary VLAN State: Active
Secondary VLAN State: Active

 

Use the show lacp multi-chassis group command to display the interchassis redundancy group and the operational LACP parameters.

PE1# show lacp multi-chassis group

Interchassis Redundancy Group 100
Operational LACP Parameters:
RG State: Synchronized
System-Id: 32768.001b.0de6.3080
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 1
System-Id: 32768.001b.0de6.3080
Peer Information:
State: Up
Node-id: 2
System-Id: 32768.f866.f2d2.6680
ICCP Version: 0
State Flags: Active - A
Standby - S
Down - D
AdminDown - AD
Standby Reverting - SR
Unknown - U
mLACP Channel-groups
Channel State Priority Active Links Inactive Links
Group Local/Peer Local/Peer Local/Peer Local/Peer
10 A/A 32768/32768 2/2 0/0
 
Redundancy Group 100 (0x64)
Applications connected: mLACP, Pseudo-mLACP
Monitor mode: BFD
member ip: 2.2.2.2 "PE2", CONNECTED
BFD neighbor: GigabitEthernet2/9, next hop 192.168.41.2, UP
mLACP state: CONNECTED

Pseudo-mLACP state: CONNECTED

backbone int GigabitEthernet8/0/9: UP (IP)
ICRM fast-failure detection neighbor table
IP Address Status Type Next-hop IP Interface
========== ====== ==== =========== =========
2.2.2.2 UP BFD 192.168.41.2 GigabitEthernet2/9

 

Use the show lacp multi-chassis load-balance group command to display the PMLACP configuration information including redundancy group, link states and interface status.

PE2#sh lacp multi-chassis load-balance group

Interchassis Redundancy Group 100
RG State: Synchronized
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id: 2
Peer Information:
State: Up
Node-id: 1
ICCP Version: 0
States: Active - ACT Standby - SBY
Down - DN AdminDown - ADN
Unknown - UN Reverting - REV
P-mLACP Interfaces
Interface Port State Local VLAN State Peer VLAN State
ID Local Primary/Secondary Primary/Secondary
10 ADN ADN/ADN DN/DN
34 UP ACT/SBY ACT/SBY

 

Troubleshooting Tips

Table 4-25 Troubleshooting Tips

Command
Purpose

debug lacp load-balance [all | database | redundancy-group | vlan]

Enables debugging of the PMLACP activity. Use this command from the switch processor (SP).

debug redundancy interchassis [all | application | error | event | monitor]

Enables debugging of the interchassis redundancy manager.

debug mpls ldp iccp

Enables debugging of the Inter Chassis Control Protocol (ICCP). Use this command from the RP.

 

Layer 2 Tunneling Protocol Version 3 (L2TPv3)

The L2TPv3 feature employs L2TPv3 and pseudowire (PW) technology to provide tunneling service to Ethernet traffic. The feature is developed for SUP720-3B/3BXL and RSP720 routers, which function as Provider Edge (PE) routers in the network topologies recommended by RFC3985 Pseudowire Emulation Edge-to-Edge (PWE3) architecture. L2TPv3 also supports inter-operability between the Cisco 7600 router and any standard compliant Cisco or non-Cisco device.

A L2TPv3 tunnel is a control connection between two PE routers. One L2TPv3 tunnel can have multiple data connections, and each data connection is termed as an L2TPv3 session. The control connection is used to establish, maintain, and release sessions. Each session is identified by a session ID which is unique across the entire router.

Figure 4-8 Network Topology for L2TPv3

 

In Figure 4-8, the attachment Virtual Circuit (VC) represents a physical or a logical port that connects a Customer Edge (CE) device to a Provider Edge (PE) device. A pseudowire is defined as a VC connecting two attachment VCs, and it consists of two L2TPv3 tunnel paths, one in each direction.

Restrictions for L2TPv3

Following restrictions apply to L2TPv3:

  • Layer 2 facing line card must be an L2TPv3 supporting line card.
  • There must be at least one distinct L2TPv3 tunnel per Layer 2 facing linecard.
  • The L2TPv3 feature on a Cisco 7600 router is supported on ES+ and SIP 400 line cards.
  • The Cisco 7600 router supports only IPv4 tunnelling for the Layer 2 frames.
  • The L2TPv3 feature does not support configurations such as EoL2TPv3oMPLS on the encapsulating PE.
  • The L2TPv3 feature supports a maximum of 16,000 pseudowires.
  • L2TPv3 is not supported in conjunction with EVC features. L2TPv3 coexists with EVC on the same port. That is, while one sub-interface is used to tunnel dot1q tagged traffic over L2TP, another sub-interface is used to perform EVC features.
  • Effective with Cisco IOS release 15.1(3)S, 4000 IP tunnels are supported on ES+ line cards.
  • The L2TPv3 feature does not support SSO. You must enable cookies for L2TPv3 session on HA setups.

Configuring L2TPv3

Before configuring L2TPv3, ensure the following:

Complete the following steps to configure L2TPv3:

SUMMARY STEPS

1. enable

2. configure terminal

3. l2tp-class name

4. exit

5. interface loopback loopback_id

6. ip address loopback_address mask

7. mls l2tpv3 reserve interface gigabitethernet slot/subslot/port

8. exit

9. pseudowire-class pseudowire-class name

10. encapsulation l2tpv3

11. protocol l2tpv3 name

12. ip local interface loopback loopback_id

13. exit

14. interface gigabitethernet slot/port

15. encapsulation dot1q vlan_id

16. xconnect loopback_ip vc_id encapsulation l2tpv3 pw-class pseudowire-class name

17. exit

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

l2tp-class name

 

Router(config)#l2tp-class H-NAME

Creates a template of Layer 2 Tunnel Protocol (L2TP) control plane configuration settings that can be inherited by different pseudowire classes, and enters L2TP class configuration mode.

Note Optionally, you can configure the command hello interval in the L2TP class configuration mode. It specifies the exchange interval (in seconds) used between L2TP hello packets.

Step 4

exit

 

Router(config-l2tp-class)# exit

Exits the L2TP-class configuration mode.

Step 5

interface loopback loopback_id

 

Router(config)# interface loopback 8000

Creates a loopback with the specified loopback_id.

Step 6

ip address loopback_address mask

 

Router(config-if)# ip address 200.1.1.1 mask 255.255.255.0

Creates an IP address for the loopback.

Step 7

mls l2tpv3 reserve interface GigabitEthernet slot/subslot/port

 

Router(config-if)#mls l2tpv3 reserve interface Gig3/1 Gig3/10

Reserves a loopback interface used as a source of the L2TPv3 tunnel in a particular line card and prevents it from being used across multiple line cards.

slot/subslot/port—Specifies the location of the interface.

Step 8

exit

 

Router(config-if)#exit

Exits interface configuration mode.

Step 9

pseudowire-class pseudowire-class name

 

Router(config)# pseudowire-class eth8000

Specifies the name of a L2TPv3 pseudowire class and enters pseudowire class configuration mode.

Step 10

encapsulation l2tpv3

 

Router(config-pw-class)#encapsulation l2tpv3

Configures the tunnel encapsulation type and ensures that the L2TPv3 connectivity is up.

Step 11

protocol l2tpv3 name

 

Router(config-pw-class)#protocol l2tpv3 H-NAME

Defines L2TPv3 signaling protocol.

Step 12

ip local interface loopback loopback_id

 

Router(config-pw-class)#ip local interface Loopback 8000

Specifies the local PE interface, whose IP address is used as the source IP address for sending tunneled packets.

Step 13

exit

 

Router(config-pw-class)# exit

Exits interface configuration mode.

Step 14

interface gigabitethernet slot/port

 

Router(config)#interface GigabitEthernet3/4.100

Enters the sub interface configuration mode.

Step 15

encapsulation dot1q vlan_id

 

Router(config-subif)#encapsulation dot1Q 100

Configures the encapsulation by defining the matching criteria to be used in order to map ingress dot1q frames on a VLAN interface.

Step 16

xconnect loopback_ip vc_id encapsulation l2tpv3 pw-class pseudowire-class name

 

Router(config-subif)#xconnect 100.1.1.1 80 encap l2tpv3 pw-class eth8000

Attaches the Layer 2 facing interfaces to the pseudowire. The virtual circuit identifier (VC_ID) used must be a unique combination on the router. The same VC_ID must be used on both PE routers.

Step 17

exit

 

Router(config-subif-xconn)#exit

Exits the sub interface configuration mode.

Configuration Examples

This example shows how to configure L2TPv3:

Router# enable
Router# configure terminal
Router (config)#l2tp-class H-NAME
Router (config-l2tp-class)#exit
Router (config)#interface Loopback8000
Router (config-if)#ip address 200.1.1.1 255.255.255.0
Router (config-if)#mls l2tpv3 reserve interface Gig3/1 Gig3/10
Router (config-if)#exit
Router (config)#pseudowire-class eth8000
Router (config-pw-class)#encapsulation l2tpv3
Router (config-pw-class)#protocol l2tpv3 H-NAME
Router (config-pw-class)#ip local interface Loopback8000
Router (config-pw-class)#exit
Router (config)#interface GigabitEthernet3/4.100
Router (config-subif)#encapsulation dot1Q 100
Router (config-subif)#xconnect 100.1.1.1 80 encap l2tpv3 pw-class eth8000
Router (config-subif-xconn)#exit
Router (config-subif)#exit
Router (config)#exit
 

Verification

Use the following commands to verify the L2TPv3 configuration:

Router #show l2tp tunnel
L2TP Tunnel Information Total tunnels 2 sessions 2
 
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
2101541749 1606300868 7600-3_BR est 100.1.1.1 1 H-NAME
2974027542 2468589365 7600-3_BR est 100.1.2.1 1 H-NAME
 
Router #show l2tp tunnel all
 
L2TP Tunnel Information Total tunnels 2 sessions 2
 
Tunnel id 2101541749 is up, remote id is 1606300868, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 03:37:28
Tunnel transport is IP (115)
Remote tunnel name is 7600-3_BR
Internet Address 100.1.1.1, port 0
Local tunnel name is 7600-2-CE
Internet Address 200.1.1.1, port 0
L2TP class for tunnel is H-NAME
Counters, taking last clear into account:
0 packets sent, 0 received
0 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 0 received
0 bytes sent, 0 received
Control Ns 33, Nr 90
Local RWS 1024 (default), Remote RWS 1024
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 89
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
 
Tunnel id 2974027542 is up, remote id is 2468589365, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 03:37:36
Tunnel transport is IP (115)
Remote tunnel name is 7600-3_BR
Internet Address 100.1.2.1, port 0
Local tunnel name is 7600-2-CE
Internet Address 200.1.2.1, port 0
L2TP class for tunnel is H-NAME
Counters, taking last clear into account:
0 packets sent, 0 received
0 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 0 received
0 bytes sent, 0 received
Control Ns 35, Nr 92
Local RWS 1024 (default), Remote RWS 1024
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 91
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled

Troubleshooting Tips

For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Reverse L2GP for Cisco 7600

Layer 2 Gateway Ports (L2GP) is a proposed IEEE standard (802.1ah) to address the issues that arise when two independent bridged domains are connected redundantly through an arbitrary number of links. Layer 2 Gateway Ports define how the forwarding gateways are selected so that only redundant ports are blocked and there are no temporary loops. The transitions can be at least as fast as STP L2GP resolves the transient loop problem during the re-convergence as it does not require cooperation from the outside domain.

Reverse L2GP (R-L2GP) is a variation of L2GP. In case of R-L2GP, the pseudo information of the R-L2GP is transmitted by nPEs, instead of uPEs. R-L2GP provides a mechanism to send out static preconfigured BPDUs on each ring access port of nPEs to stimulate a per-access ring instantiation of the protocol. In order for this to work, the pair of nPEs are programmed to send out BPDUs on the access ring ports in such a way that they appear to be either:

  • The root bridge itself (the bridge with the lowest bridge id/priority).
  • The bridge with the second lowest bridge ID/priority, and with a 0 cost path to the root.

Using R-L2GP, you can statically configure the BPDUs instead of dynamic configuration.

For more information, see Configuring STP and MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html#wp1101874 .

Restrictions and Usage Guidelines

When configuring Reverse L2GP for the Cisco 7600 router, follow these guidelines and restrictions:

  • R-L2GP is not compatible with pre-standard MST. This combination is not supported.
  • Use only on bridge ports.
  • Because VLAN ID is required for EVC service instance to MST instance mapping, EVC service instances without any VLAN ID in the encapsulation are not supported. This includes:

Untagged encapsulation

Priority-tagged encapsulation

Default encapsulation

  • In EVC service instance, MST runs on the encapsulation VLAN, not on the broadcast-domain VLAN.
  • Service instances with multiple outer tags are not supported.
  • The feature is supported only on ES20 and ES+ line cards.
  • MST and R-L2GP can co-exist on the same router.
  • R-L2GP does not provide any automatic detection or recovery mechanisms for BPDU data.
  • MST instance zero under RL2GP must be configured before RL2GP instance is attached to a port.
  • Configure MST instance zero on the same nPE pair as RL2GP instance.
  • In case of EVC service instance configuration, Encap vlan and BD vlan should be part of the same MST instance to send the TCNs on the BD-Vlans.

Configuring Reverse L2GP for 7600

To enable R-L2GP on a port, you need to:

  • Configure MST
  • Configure RL2GP instance
  • Attach RL2GP instance to a port
  • Configure VPLS BPDU Pseudo Wire

Configuration of MST must be done before configuring RL2GP and attaching it to a port. For MST configuration, you need to configure:

  • Provider Bridge Mode
  • Hello Time
  • Name
  • Revision
  • MSTI information (VLAN mapping, bridge priority, port priority, and cost)
  • Priority Vector information (bridge ID, port ID, Root Bridge ID)

Since the R-L2GP configuration is bundled with the MSTI configuration, the above parameters can be recycled from the MSTI and MST region (currently only one MST region is supported on IOS) configurations. This section describes how to configure Reverse L2GP for 7600. It consists of the following sections:

Configuring MST

SUMMARY STEPS

1. enable

2. configure terminal

3. spanning-tree mst configuration

4. [no] name name

5. [no] revision version

6. [no] instance instance-id {vlans vlan-range}

DETAILED STEPS

 

Command
Purpose

Step 1

enable

 
Router# enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

 

Router# configure terminal

Enters global configuration mode.

Step 3

spanning-tree mst configuration

 

Router(config)# spanning-tree mst configuration

Enters MST-configuration submode.

Step 4

[no] name name

 

Router(config-mst)# name Cisco

Sets the name of a Multiple Spanning Tree (MST) region.

Step 5

revision version

 

Router(config-mst)# revision 5

Sets the revision number for the Multiple Spanning Tree (802.1s) (MST) configuration.

Step 6

[no] instance instance-id {vlans vlan-range}

 

Router(config-mst)# instance 2 vlans 1-100

Maps a VLAN or a group of VLANs to a multiple spanning tree (MST) instance.

Configuring the RL2GP Instance

SUMMARY STEPS

1. spanning-tree pseudo-information transmit indentifier

2. remote-id id

3. mst root mac-address

4. mst root priority

5. mst root

6. mst cost

DETAILED STEPS

 

Command
Purpose

Step 1

spanning-tree pseudo-information transmit indentifier

 

Router(config)# spanning-tree pseudo-information transmit 10

Configures the Reverse-L2GP configuration on the interface (or untagged EFP port).

Step 2

remote-id id

 

Router(config-pseudo)# remote-id 5

Configures the remote RL2GP instance Id that pairs with the specified R-L2GP instance Id.

Step 3

mst root mac-address

 

Router(config-pseudo)# mst root 0000.9c6d.2ec0

Adds MST instance list to R-L2GP instance and configures R-L2GP root bridge MAC address for MST instance (or multiple MST instances).

Step 4

mst root priority

 

Router(config-pseudo)# mst root priority

Adds MST instance list to RL2GP instance and configures the R-L2GP bridge priority ( in multiples of 4096) for instances.

Step 5

mst root

 

Router(config-pseudo)# mst root

Adds MST instances to RL2GP instances and configures the MAC address and priority for MST instances.

Step 6

mst cost

 

Router(config-pseudo)# mst cost

Adds MST instance list to RL2GP instance and configures R-L2GP path cost for MST instance (or multiple MST instances).

Attaching the RL2GP Instance to a Port

SUMMARY STEPS

1. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

2. spanning-tree pseudo-information transmit indentifier

DETAILED STEPS

 

Command
Purpose

Step 1

interface gigabitethernet slot/port

or

interface tengigabitethernet slot/port

 

Router(config)# interface gigabitethernet 4/1

Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:

  • slot/port—Specifies the location of the interface.

Step 2

spanning-tree pseudo-information transmit indentifier

 

Router(config-if)# spanning-tree pseudo-information transmit 10

Configures the Reverse-L2GP configuration on the interface.

Configuring the VPLS Pseudo Wire

SUMMARY STEPS

1. l2 vfi name manual

2. vpn id vpn_id

3. forward permit L2protocol all

4. neighbor ip-address vc-id {encapsulation mpls |pw-class pw-class-name}

5. exit

6. interface vlan vlanid type {trbrf | ethernet}

7. xconnect vfi vfi_name

DETAILED STEPS

 

Command
Purpose

Step 1

l2 vfi name manual

 

Router(config)# l2 vfi vfitest1 manual

Creates a Layer 2 VFI and enters the Layer 2 VFI manual configuration submode.

Step 2

vpn id vpn_id

 

Router(config-vfi)# vpn id 303

Sets or updates a Virtual Private Network (VPN) ID on a VPN routing and forwarding (VRF) instance.

Step 3

forward permit L2protocol all

 

Router(config-vfi)# forward permit L2protocol all

Defines the VPLS pseudowire that is used to transport bridge protocol data unit (BPDU) information between two network provider edge (N-PE) routers.

Step 4

neighbor ip-address vc-id {encapsulation mpls |pw-class pw-class-name}

 

Router(config-vfi)# neighbor 10.10.10.10 1 encapsulation mpls

Specifies the routers that should form a point-to-point Layer 2 virtual forwarding interface (VFI) connection.

Step 5

exit

 

Router(config-vfi)# exit

Router(config)#

Exits the current configuration mode.

Step 6

interface vlan vlanid type {trbrf | ethernet}

 

Router(config)# interface vlan 23

Creates a dynamic Switch Virtual Interface (SVI).

Step 7

xconnect vfi vfi name

 

Router(config-if)# xconnect vfi vfi16

The xconnect command specifies the Layer 2 VFI that you are binding to the VLAN port.

Examples

This is a sample configuration for switch port:

----- PE1 configuration -----
 
Step 1:
 
PE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#spanning-tree mode mst
PE1(config)#spanning-tree extend system-id
PE1(config)#spanning-tree pseudo-information transmit 2
PE1(config-pseudo)# remote-id 1
PE1(config-pseudo)# mst 0 root 32768 0000.0000.0001
%Warning: Please make same configuration change on mst instance 0 for
remote Pseudo Info instance also. Difference in mst instance 0 config
on Pseudo Info pair can cause network instability
PE1(config-pseudo)# mst 1 root 32768 0000.0000.0002
PE1(config-pseudo)# mst 1 cost 100
PE1(config-pseudo)#exit
PE1(config)#spanning-tree mst configuration
PE1(config-mst)#instance 1 vlan 100-200, 400-500
 
Step 2:
 
PE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#interface TenGigabitEthernet4/1
PE1(config-if)# switchport
PE1(config-if)# switchport mode trunk
PE1(config-if)# spanning-tree pseudo-information transmit 2
PE1(config-if)#end
PE1#
 
Step 3:
 
PE1(config)#l2 vfi bpdupw manual
PE1(config-vfi)#vpn id 100
PE1(config-vfi)#forward permit L2protocol all
PE1(config-vfi)#neighbor 22.22.22.22 encapsulation mpls
PE1(config-vfi-neighbor)#
 
Step 4:
 
PE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#interface Vlan1
PE1(config-if)#no ip address
PE1(config-if)#xconnect vfi bpdupw
PE1(config-if)#end
PE1#
 

Use the show commands to check the configuration:

 
PE1#show running-config int te4/1
Building configuration...
 
Current configuration : 119 bytes
!
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
spanning-tree pseudo-information transmit 2
end
 
 
PE1#show spanning-tree mst
 
##### MST0 vlans mapped: 1-99,201-399,501-4094
Bridge address 0013.5f21.e240 priority 32768 (32768 sysid 0)
Root this switch for the CIST
Operational hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured hello time 2 , forward delay 15, max age 20, max hops 20
 
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Te4/1 Desg FWD 2000 128.769 P2p R-L2GP
PW 22.22.22.22:100 Desg FWD 200 128.1020 P2p R-L2GP
 
##### MST1 vlans mapped: 100-200,400-500
Bridge address 0013.5f21.e240 priority 32769 (32768 sysid 1)
Root this switch for MST1
 
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Te4/1 Desg FWD 2000 128.769 P2p R-L2GP
PW 22.22.22.22:100 Desg FWD 200 128.1020 P2p R-L2GP
 
PE1#show spanning-tree pseudo-information
Pseudo id 2, type