Table Of Contents

Configuring Layer 1 and Layer 2 Features

Cisco 7600 Synchronous Ethernet Support

Restrictions and Usage Guidelines

Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card

Configuring the Clock Recovery from SyncE

Configuring the Clock Recovery from BITS Port

Configuring the System to External

Configuring the Line to External

Managing Synchronization on ES+ Card

Verification

Flexible QinQ Mapping and Service Awareness

Restrictions and Usage Guidelines

Examples

Double Tag VLAN Connect

Selective QinQ with Xconnect

Selective QinQ with Layer 2 Switching

Double Tag Translation (2-to-2 Tag Translation)

Double Tag Termination (2 to 1 Tag Translation)

Verification

Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards

Restrictions and Usage Guidelines

Examples

Single Tag Termination Example

Single Tag Tunneling Example

Single Tag Translation Example

Double Tag Tunneling Example

Double Tag Termination Configuration Example

Double-Tag Translation Configuration Example

Selective QinQ Configuration Example

Untagged Traffic Configuration Example

MPBE with Split Horizon Configuration Example

Verification

Backup Interface for Flexible UNI

Restriction and Usage Guidelines

Verification

Example

EVC On Port-Channel

Restrictions and Usage Guidelines

Verification

LACP Support for EVC Port Channel

Restrictions and Usage Guidelines

Verification

DHCP Snooping with Option-82 on EVC

Restrictions and Usage Guidelines

Example

Verification

IP Source Guard for Service Instance

Restrictions and Usage Guidelines

Example

Verification

Configuring MST on EVC Bridge Domain

Overview of MST and STP

Overview of MST on EVC Bridge Domain

Restrictions and Usage Guideline

Examples

Verification

MAC Address Security for EVC Bridge Domain

Restrictions and Usage Guideline

Enabling MAC Address Security for EVC Bridge Domain

Disabling MAC Address Security for EVC Bridge Domain on an EFP

Examples

Configuring MAC Address Whitelist on an EFP

Configuring Sticky MAC Addresses on an EFP

Configuring Secure MAC Address Aging on an EFP

Configuring MAC Address Limiting on EFP

Configuring MAC Address Limiting on a Bridge Domain

Configuring Violation Response on an EFP

Examples

Error Recovery

Manual Recovery

Automatic recovery

Verification

CFM and PVST Co-Existence

Restrictions and Usage Guidelines

Configuring PVST and CFM Co-Existence

Configuring GVRP and CFM Co-Existence

Configuring PVST and GVRP Co-Existence

Verification

CFM over EFP Interface with xconnect

Restrictions and Usage Guidelines

Configuring CFM over EFP with xconnect for the Cisco 7600 Router

Configuring CFM over EFP Interface with Cross Connect—Basic Configuration

Configuring CFM over EFP Interface with Cross Connect—Single Tag VLAN Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Double Tag VLAN Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Selective QinQ Cross Connect

Configuring CFM over EFP Interface with Cross Connect—Port-Based Cross Connect Tunnel

Configuring CFM over EFP Interface with Cross Connect—Port Channel-Based Cross Connect Tunnel

Configuring CFM over EFP Interface with xconnect—Port Channel-Based xconnect Tunnel

Verification

Custom Ethertype for EVC Interfaces

Supported Rewrite Rules for a Custom Ethertype Configuration

Supported Rewrites for Non-Range on C-Tag with a NNI

Supported Rewrites for Range on C-Tag with a NNI

Restrictions and Usage Guidelines

Examples

Single Tag Encap with Connect with Custom Ethertype Configured

Single Tag Encap with Bridge Domain

Single Tag Encap with XConnect

Custom Ethertype Support with Sub Interfaces

Verification

Storm Control on Switchports and Ports Having EVCs

Restrictions and Usage Guidelines

Configuring Storm Control on Ports with EVC Configurations

Example

Configuring Storm Control on Switchports

Example

Verification

GE LAG with LACP on UNI with Advanced Load Balancing

Restrictions and Usage Guidelines

Configuring GE Link Aggregation with Advanced Load Balancing

Example

Verification

Multichassis Support for LACP

Requirements and Restrictions

Reverse L2GP for Cisco 7600

Restrictions and Usage Guidelines

Configuring Reverse L2GP for 7600

Configuring MST

Configuring the RL2GP Instance

Attaching the RL2GP Instance to a Port

Configuring the VPLS Pseudo Wire

Example

Verification

Configuring Static MAC Binding to EVCs and Psuedowires

Restrictions and Usage Guidelines

Configuring Static MAC over EFP for the Cisco 7600 Router

Configuring MPLS on Core-Facing Interface

Configuring Static MAC over Pseudowire for the Cisco 7600 Router

Configuring Resilient Ethernet Protocol over Ethernet Virtual Circuit

Restrictions and Usage Guidelines

Configuring REP over EVC for the Cisco 7600 Router

Configuring REP over EVC using xconnect for the Cisco 7600 Router

Configuring REP over EVC using connect for the Cisco 7600 Router

Configuring REP over EVC using bridge-domain for the Cisco 7600 Router

IEEE 802.1ag-2007 Compliant CFM

Supported Line Cards

Supported Interfaces

Restrictions and Usage Guidelines

802.1ah: Configuring Excalibur MAC Tunneling Protocol

MTP Software Architecture

IB Backbone Edge Bridge

Data Plane Processing

MTP Configuration

Scalability Information

Restrictions and Usage Guidelines

Configuring Excalibur MTP for the Cisco 7600 Router

IP and PPPoE Session Support

IP Address Assignment

IP Subnet (IP Range) Sessions

IP Interface Sessions

PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)

PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer Ethertype

Restictions and Usage Guidelines

Verification

Configuring Layer 1 and Layer 2 Features

---

This chapter provides information about configuring Layer 2 features on the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series router. It includes the following topics:

•Cisco 7600 Synchronous Ethernet Support

•Flexible QinQ Mapping and Service Awareness

•Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards

•Backup Interface for Flexible UNI

•EVC On Port-Channel

•LACP Support for EVC Port Channel

•DHCP Snooping with Option-82 on EVC

•IP Source Guard for Service Instance

•Configuring MST on EVC Bridge Domain

•MAC Address Security for EVC Bridge Domain

•CFM and PVST Co-Existence

•CFM over EFP Interface with xconnect

•Custom Ethertype for EVC Interfaces

•Storm Control on Switchports and Ports Having EVCs

•GE LAG with LACP on UNI with Advanced Load Balancing

•Multichassis Support for LACP

•Reverse L2GP for Cisco 7600

•Configuring Static MAC Binding to EVCs and Psuedowires

•Configuring Resilient Ethernet Protocol over Ethernet Virtual Circuit

•IEEE 802.1ag-2007 Compliant CFM

•802.1ah: Configuring Excalibur MAC Tunneling Protocol

•IP and PPPoE Session Support

For more information about the commands used in this chapter, see the Cisco IOS Release 12.2 SR Command References at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sr/cr/index.htm.

---

Note The information provided in this chapter is applicable to both the ES+ and ES+T line cards unless specified otherwise.

---

Cisco 7600 Synchronous Ethernet Support

Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned to a reliable clock traceable to Primary Reference Clock (PRC).

SyncE is implemented on an ES+ card for Cisco 7600 series routers. An ES+ card has a dedicated external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. Table 4-1 lists the framing modes for BITS port on an ES+ card:

Table 4-1 Framing Modes for BITS Port on an ES+ card

BITS/SSU port support Matrix	Framing modes supported	Tx Port	Rx Port
T1	T1 ESF	Yes	Yes
T1	T1 SF	Yes	Yes
E1	E1 CRC4	Yes	Yes
E1	E1 FAS	Yes	Yes
E1	E1 CAS	No	Yes
E1	E1 CAS CRC4	No	Yes

You can implement SyncE on an ES+ card with four different configurations:

•Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit and ten gigabit interfaces only). Router uses this clock as the Tx clock for other SyncE interfaces or ATM/CEoP interfaces.

•Clock Recovery from External Interface: System clock is recovered from a BITS clocking source.

•Line to External: The clock received from an Ethernet is forwarded to an external SSU. The SynE feature provides the functionality for clock cleanup. For a router in the middle of synchronization chain, the received clock may have unacceptable wander and jitter. The router recovers the clock from the SyncE interface, converts it to the format required for the BITS interface, and sends to a SSU through the BITS port. The SSU performs the cleanup and sends it back to the BITs interface. The cleaned up clock is received back from the SSU. This clock is used as Tx clock for the SyncE ports. For 7600 router, the interface from which the clock is recovered and the BITS port to the SSU should reside on the same ES+ card.

•System to External: The system clock is used as Tx clock for an external interface. By default the system clock is not transmitted on the external interface.

The SyncE enabled ES+ line card provides the squelching functionality, where an Alarm indication Signal (AIS) is sent to the Tx interfaces if the clock source goes down. The squelching functionality is implemented in two cases:

•Line to external: If the line source goes down, an AIS is transmitted on the external interface to the SSU.

•System to external: If the router loses all the clock sources, an AIS is sent on the external interface to the SSU.

Squelching is performed only towards an external device such as SSU or PRC.

You can have a maximum of six clock sources for a 7600 Router and a maximum of 4 clock sources on an ES+ card. The clock source with highest priority is made the default clock source. You can manage the clock sources on an ES+ card by changing the priority of the clock sources. You can also manage the synchronization on ES+ cards using the following management options:

•Hold-of Time: If a clock source goes down, the router waits for a specific hold-off time before removing the source. By default, the value of hold-of time is 300 ms.

•Wait to Restore: If a SyncE interface comes up, the router waits for a specific period of time before considering the SyncE interface for synchronization source. By default, the value is 300 sec.

•Force Switch: Forcefully select a synchronization source irrespective of whether the source is available or within the specified range.

•Manual Switch: Forcefully select a synchronization source provided the source is available and within the range.

The ES+ is a family of fixed-port SyncE line cards supporting 20 and 40 Gbps bandwidth for the 7600 series routers. The following ES+ cards support SyncE:

•4x10G XFP ports (Longsword)

•40x1G SFP ports (Urumi),

•2x10G XFP ports (Gladius),

•20x1G SFP ports (Katar).

Restrictions and Usage Guidelines

Follow these restrictions and usage guidelines when configuring the SyncE on an ES40 line card:

•If the network clock algorithm is enabled, all the ES+ cards on the router use the system clock as Tx clock (synchronous mode) for its ethernet interfaces. You cannot change the synchronous mode on a per interface basis for the line card. The whole line cards functions in the same mode.

•On an ES+ card, you can have a maximum of 4 ports configured as clock source at a time.

•For a 20x1 gigabit ES+ line card, you can select a maximum of two ports from each NPU.

•For a 40x1 gigabit ES+ line card, you can select only one port from each NPU.

•No SSM / ESMC support on SyncE.

•You can configure a maximum of 6 ports as a clock source for a Cisco 7600 router.

•The line to external for clock clean up is supported only if the line interface and the external (BITS) interface are on the same ES+ line card.

•SyncE feature is SSO co-existent, but not compliant. The clock selection algorithm is restarted on a switchover. During the switchover the router goes into hold-over mode.

•You cannot implement the network-clock based clock selection algorithm and the new algorithm simultaneously. Both these algorithms are mutually exclusive.

Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card

This section describes how to configure SyncE for Cisco 7600 Router. SyncE is implemented on Cisco 7600 router using four different configurations:

•Configuring the Clock Recovery from SyncE

•Configuring the Clock Recovery from BITS Port

•Configuring the System to External

•Configuring the Line to External

Configuring the Clock Recovery from SyncE

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from SyncE method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

6. exit

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	network-clock synchronization automatic Example: Router(config)# network-clock synchro- nization automatic	Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
Step 4	network-clock synchronization ssm op- tion {option_id {GEN1 | GEN2}} Example: Router(config)#network-clock synchroni- zation ssm option 2 GEN1	Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
Step 5	network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }} Example: Router(config-if-srv)#network-clock in- put-source 1 interface TenGigabitEthernet7/1	Enables clock recovery from SyncE.
Step 6	exit Example: Router(config)#exit	Exits the global configuration mode.

Examples

This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:

Router>enable

Router#configure terminal

Router(config)#network-clock synchronization automatic

Router(config)#network-clock synchronization ssm option 2 GEN1

Router(config)#network-clock input-source 1 interface TenGigabitEthernet7/1

Router(config)#exit

Configuring the Clock Recovery from BITS Port

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from BITS port.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}

6. exit

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	network-clock synchronization automatic Example: Router(config)# network-clock synchro- nization automatic	Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
Step 4	network-clock synchronization ssm op- tion {option_id {GEN1 | GEN2}} Example: Router(config)#network-clock synchroni- zation ssm option 2 GEN1	Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
Step 5	network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }} Example: Router(config-if-srv)#network-clock in- put-source 1 External 7/0/0 t1 sf	Enables clock recovery from BITS port.
Step 6	exit Example: Router(config)#exit	Exits the global configuration mode

Examples

This example shows how to configure clock recovery from BITS port for Cisco 7600 Routers:

Router>enable

Router#configure terminal

Router(config)#network-clock synchronization automatic

Router(config)#network-clock synchronization ssm option 2 GEN1

Router(config)#network-clock input-source 1 External 7/0/0 t1 sf 

Router(config)#exit

Configuring the System to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using System to External method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id

5. network-clock output-source system priority {external slot/card/port [j1 | 2m | 10m] }

6. exit

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	network-clock synchronization automatic Example: Router(config)# network-clock synchro- nization automatic	Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
Step 4	network-clock synchronization ssm op- tion {option_id {GEN1 | GEN2}} Example: Router(config)#network-clock synchroni- zation ssm option 2 GEN1	Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
Step 5	network-clock output-source system pri- ority {external slot/card/port [j1 | 2m | 10m] } Example: Router(config)#network-clock out- put-source system 1 external 4/0/0 t1 sf	Configures the system clock to be used on external Tx interfaces.
Step 6	exit Example: Router(config)#exit	Exits the global configuration mode.

Examples

This example shows how to configure system to external clocking for Cisco 7600 Routers:

Router>enable

Router#configure terminal

Router(config)#network-clock synchronization automatic

Router(config)#network-clock synchronization ssm option 2 GEN1

Router(config)#network-clock input-source 1 External 7/0/0 t1 sf 

Router(config)#exit

This example shows how to configure clock clean-up using an SSU:

Router(config)#network-clock output-source line 1 interface GigabitEthernet1/11 External 
1/0/0 t1 sf

Router(config)#network-clock input-source 1 External 7/0/0 t1 sf

Configuring the Line to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using Line to External method.

SUMMARY STEPS

1. enable

2. configure terminal

3. network-clock synchronization automatic

4. network-clock synchronization ssm option option_Id Generation_Id: Sets the SSM option

5. network-clock output-source line priority {interface interface_name | controller {t1 | e1} slot/card/port}} {external slot/card/port}

6. exit

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	network-clock synchronization automatic Example: Router(config)# network-clock synchro- nization automatic	Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
Step 4	network-clock synchronization ssm op- tion {option_id {GEN1 | GEN2}} Example: Router(config)#network-clock synchroni- zation ssm option 2 GEN1	Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
Step 5	network-clock output-source line prior- ity {interface interface_name | con- troller {t1 | e1} slot/card/port}} {external slot/card/port} Example: Router(config-if-srv)#encapsulation dot1q 40 second-dot1q 42	Configures the line clock to be used on external Tx interfaces.
Step 6	exit Example: Router(config)#exit	Exits the global configuration mode.

Examples

This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:

Router>enable

Router#configure terminal

Router(config)#network-clock synchronization automatic

Router(config)#network-clock synchronization ssm option 2 GEN1

Router(config)#network-clock input-source 1 interface TenGigabitEthernet7/1

Router(config)#network-clock output-source line 1 interface GigabitEthernet1/11 External 
1/0/0 

Router(config)#exit

Managing Synchronization on ES+ Card

You can manage the synchronization on ES+ cards using the following management CLIs:

•Wait to Restore: Use the network-clock wait-to-restore timer global command to set wait-to-restore time. You can configure the wait to restore time between 0-86400 sec. The default value is 300 sec. The wait to restore timer can be set at global configuration mode and interface configuration mode. The following example shows how to configure wait to restore timer at global configuration mode:

Router(config)#network-clock wait-to-restore 10 global

The following example shows how to configure wait to restore timer at interface configuration mode:

Router(config)#int ten 7/1

Router(config-if)#network-clock wait-to-restore 10

•Hold-off Time: Use network-clock hold-off timer global command to configure hold-off time. You can configure the hold-off time to zero or any value between 50-10000. The default value is 300 ms. The following example shows how to configure hold-off time:

Router(config)#network-clock hold-off 50 global

•Force Switch: Use network-clock switch force {interface interface_name slot/sub-slot/port | external slot/sub-slot/port} command to forcefully select a synchronization source irrespective of whether the source is available and within the range. The following example shows how to configure manual switch:

Router(config)#network-clock switch force interface tenGigabitEthernet 7/1 t1

•Manual Switch: Use network-clock switch manual {interface interface_name slot/sub-slot/port | external slot/sub-slot/port} command to manually select a synchronization source provided the source is available and within the range. The following example shows how to configure manual switch:

Router(config)#network-clock switch manual interface tenGigabitEthernet 7/1 t1

•Clear Manual and Force Switch: Use the network-clock clear switch controller-id command to clear the manual or force switch. The following example shows how to clear a switch:

Router(config)#network-clock clear switch t0

•Lock-out a Source: Use the network-clock set lockout {interface interface_name slot/card/port | external slot/card/port command to lock-out a clock source. A clock source flagged as lock-out is not considered for by selection process for SyncE. To clear the lock-out on a source, use network-clock clear lockout {interface interface_name slot/card/port | external slot/card/port command. The following example shows how to lock-out a clock source:

Router(config)#network-clock set lockout interface tenGigabitEthernet 7/1

The following example shows how to clear lock-out on a clock source:

Router(config)#network-clock clear lockout interface tenGigabitEthernet 7/1

Verification

Use the following commands to verify the MTP configuration:

•You can use the show network-clocks synchronization command to view brief SyncE configuration:

Router#show network-clocks synchronization

Symbols:     En - Enable, Dis - Disable, Adis - Admin Disable

             NA - Not Applicable

             *  - Synchronization source selected

             #  - Synchronization source force selected

             &  - Synchronization source manually switched

Automatic selection process : Enable

Equipment Clock : 2048 (EEC-Option1)

Clock Mode : QL-Disable

ESMC : Disabled

SSM Option : 1

T0 : TenGigabitEthernet7/1

Hold-off (global) : 50 ms

Wait-to-restore (global) : 10 sec

Revertive : Yes

Nominated Interfaces

 Interface            SigType     Mode/QL      Prio  QL_IN  ESMC Tx  ESMC Rx

 Internal             NA          NA/Dis       251   NA     Dis      Dis

*Te7/1                NA          Sync/Dis     1     NA     Dis      Dis

 AT8/1/0              NA          NA/Dis       1     NA     Dis      Dis

 SONET 9/0/0          NA          NA/Dis       1     NA     Dis      Dis

•You can use show network-clocks synchronization detail command to view detailed SyncE configuration:

Router#show network-clocks synchronization detail

Symbols:     En - Enable, Dis - Disable, Adis - Admin Disable

             NA - Not Applicable

             *  - Synchronization source selected

             #  - Synchronization source force selected

             &  - Synchronization source manually switched

Automatic selection process : Enable

Equipment Clock : 2048 (EEC-Option1)

Clock Mode : QL-Disable

ESMC : Disabled

SSM Option : 1

T0 : TenGigabitEthernet7/1

Hold-off (global) : 50 ms

Wait-to-restore (global) : 10 sec

Revertive : Yes

Force Switch: FALSE

Manual Switch: FALSE

Number of synchronization sources: 3

sm(netsync_ql_dis NETCLK_QL_DISABLE), running yes, state 2A

Last transition recorded: (begin)-> 2A (src_rem)-> 2A

Nominated Interfaces

 Interface            SigType     Mode/QL      Prio  QL_IN  ESMC Tx  ESMC Rx

 Internal             NA          NA/Dis       251   NA     Dis      Dis

*Te7/1                NA          Sync/Dis     1     NA     Dis      Dis

 AT8/1/0              NA          NA/Dis       1     NA     Dis      Dis

 SONET 9/0/0          NA          NA/Dis       1     NA     Dis      Dis

Interface:

---------------------------------------------

Local Interface: Internal

Signal Type: NA

Mode: NA(Ql-disabled)

ESMC/SSM Tx: Disable

ESMC/SSM Rx: Disable

Priority: 251

QL Receive: NA

QL Receive Configured: NA

QL Transmit: NA

QL Transmit Configured: NA

Hold-off: 50

Wait-to-restore: 10

Lock Out: FALSE

Signal Fail: FALSE

Alarms: FALSE

Slot Disabled: FALSE

Local Interface: Te7/1

Signal Type: NA

Mode: Synchronous(Ql-disabled)

ESMC/SSM Tx: Disable

ESMC/SSM Rx: Disable

Priority: 1

QL Receive: NA

QL Receive Configured: NA

QL Transmit: NA

QL Transmit Configured: NA

Hold-off: 50

Wait-to-restore: 10

Lock Out: FALSE

Signal Fail: FALSE

Alarms: FALSE

Slot Disabled: FALSE

Flexible QinQ Mapping and Service Awareness

Flexible QinQ Mapping and Service Awareness allows service providers to offer triple-play services, residential Internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.

The access node connects to the DSLAM through the Cisco 7600 Series ES+ line cards. This provides a flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to different services.

Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards is supported only through Ethernet Virtual Connection Services (EVCS) service instances.

EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.

Figure 4-1 shows a typical metro architecture where the access router facing the DSLAM provides VLAN translation (selective QinQ) and grooming funcitonality and where the serivce routers (SR) provide QinQ termination into a Layer 2 or Layer 3 service.

Figure 4-1

Metro Architecture

Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards provides the following functionality:

•VLAN connect with local significance (VLAN local switching)

–Single tag Ethernet local switching where the received dot1q tag traffic from one port is cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there is no MAC learning involved.

–Double tag Ethernet local switching where the received double tag traffic from one port is cross-connected to another port by changing both tags. The mapping to each double tag combination to the cross-connect is 1-to-1. There is no MAC learning involved.

–Hairpinning (EFPs in the same port).

---

Note Connect service does not support identifying BPDU packets.

---

•Selective QinQ (1-to-2 translation)

–xconnect—Selective QinQ adds an outer tag to the received dot1q traffic and then tunnels it to the remote end with Layer 2 switching or EoMPLS.

–Layer 2 switching—Selective QinQ adds an outer tag to the received dot1q traffic and then performs Layer 2 switching to allow SVI based on based on the outer tag for configuring additional services.

•Double tag translation (2-to-2 translation) Layer 2 switching—Two received tagged frames are popped and two new tags are pushed.

•Double tag termination (2-to-1 tag translation)

–Ethernet MultiPoint Bridging over Ethernet (MPBE)—The incoming double tag is uniquely mapped to a single dot1q tag that is then used to do MPBE.

–Double tag MPBE—The ingress line uses double tags in the ingress packet to look up the bridging VLAN. The double tags are popped and the egress line card adds new double tags and sends the packet out.

–Double tag routing—Same as regular dot1q tag routing except that double tags are used to identify the hidden VLAN.

•Local VLAN significance—VLAN tags are significant only to the port.

For the Cisco 7600 Series ES+ line card, the subinterface gets a hidden VLAN (a VLAN that is not configured and is allocated internally) associated to the subinterface. The hidden VLAN number has no correlation with the encapsulation VLAN (the VLAN visible to the user or in the wire). Because the encapsulation is local to the port, you can have the same encapsulation VLAN in multiple ports.

•Scalable EoMPLS VC—Single tag packets are sent across the tunnel.

•QinQ policing and QoS

•Layer 2 protocol data unit (PDU) packet

–With connect and xconnect command, the Layer 2 PDUs are forwarded transparently regardless if they are tagged or untagged.

–With bridge-domain command, if the Layer 2 PDUs are tagged, packets are dropped by default; if the Layer 2 PDUs are untagged, packets are treated per the physical port configuration. (With an untagged service instance with bridge-domain command, the CPU stops the PDU depending on the configuration). When the feature is configured on the EFP, the BPDU is passed by the EFP to the feature which makes the decision accordingly.

Restrictions and Usage Guidelines

When configuring Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards, follow these restrictions and usage guidelines:

•Service Scalability:

–Service Instances: 16, 000

–Input matching pairs: 8,000

–Bridge domains: 4, 000

–Local switching: 32,000

–Xconnect: 16, 000

–Subinterface: 2,000

•QoS Scalability:

–Shaping: parent queue is 2,000 and child queue is 16,000

–Marking: parent queue is 2,000 and child queue is 16,000

–Maximum number of child queues (leaf) supported for ES+T line card is 16 per port in each direction (ingress and egress).

•Modular QoS CLI (MQC) actions supported include:

–Shaping

–Bandwidth

–Two priority queues per policy

–The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner cos command

–WRED aggregate

–Queue-limit

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. service instance id ethernet [service-name]

5. encapsulation dot1q vlan-id

6. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}}symmetric

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/port or interface tengigabitethernet slot/port Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: •slot/port—Specifies the location of the interface.
Step 4	service instance id ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric	Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.

Examples

Single Tag VLAN Connect

In this example, an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with a dot1q tag of 11. No MAC learning is involved.

---

Note Because there is a VLAN translation end to end, Layer2 protocol need to be carefuly considered. Typically, the use case has both sides on the same encapsulation.

---

! DSLAM facing port

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 10

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric 

!L2 facing port

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# service instance 101 ethernet

Router(config-if-srv)# encapsulation dot1q 11

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

! connect service

Router# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101

Double Tag VLAN Connect

In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved.

! DSLAM facing port

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q second-dot1q 20

Router(config-if-srv)# rewrite ingress tag pop 2 symmetric

!L2 facing port

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# service instance 101 ethernet

Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21

Router(config-if-srv)# rewrite ingress tag pop 2 symmetric

! connect service

Router# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101

Selective QinQ with Xconnect

This configuration uses EoMPLS under single tag subinterface to perform packet forwarding.

! DSLAM facing port

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60

Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect

!

Router(config)# interface Loopback1

Router(config-if)# ip address 1.1.1.1 255.255.255.255

! MPLS core facing port

Router(config)# interface TenGigabitEthernet 2/1

Router(config-if)# ip address 192.168.1.1 255.255.255.0

Router(config-if)# mpls ip

Router(config-if)# mpls label protocol ldp

! MPLS core facing port

Router(config)# interface TenGigabitEthernet 2/1

Router(config-if)# ip address 192.168.1.2 255.255.255.0

Router(config-if)# mpls ip

Router(config-if)# mpls label protocol ldp

!

Router(config)# interface Loopback1

Router(config-if)# ip address 2.2.2.2 255.255.255.255

! CE facing EoMPLS configuration

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# service instance 1000

Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect

Selective QinQ with Layer 2 Switching

This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is the same as MPBE; only the rewrites for each service instance are different.

! DSLAM facing port, single tag incoming

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 10-20

Router(config-if-srv)# bridge-domain 11

! QinQ VLAN

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# switchport

Router(config-if)# switchport mode trunk

Router(config-if)# switchport trunk vlan allow 11

Double Tag Translation (2-to-2 Tag Translation)

In this case, double-tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2 switched to the bridge domain VLAN.

! QinQ facing port

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10

Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20 
symmetric

Router(config-if-srv)# bridge-domain 200

! QinQ VLAN

! 

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# service instance 101 ethernet

Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20

Router(config-if-srv)# bridge-domain 200

Double Tag Termination (2 to 1 Tag Translation)

This example falls under the Layer 2 switching case.

! Double tag traffic

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20

Router(config-if-srv)# rewrite ingress tag pop 2 symmetric

Router(config-if-srv)# bridge-domain 10

!

Router(config)# interface TenGigabitEthernet 1/2

Router(config-if)# service instance 101 ethernet

Router(config-if-srv)# encapsulation dot1q 10

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 10

!

Router(config)# interface TenGigabitEthernet 1/3

Router(config-if)# service instance 101 ethernet

Router(config-if-srv)# encapsulation dot1q 30

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 10

Verification

Use the following commands to verify operation.

Command	Purpose
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]	Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]	Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.
Router# show ethernet service interface [interface-id] [detail]	Displays information in the Port Data Block (PDB).
Router# show mpls l2 vc detail	Displays detailed information related to the virtual connection (VC).
Router# show mpls forwarding	Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB). Note Output should have the label entry l2ckt.
Router# show connect	Displays statistics and other information about Frame-Relay-to-ATM Network Interworking (FRF.5) and Frame Relay-to-ATM Service Interworking (FRF.8) connections.
Router# show xconnect	Displays information about xconnect attachment circuits and pseudowires.

Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards

MultiPoint Bridging over Ethernet (MPBE) on Cisco 7600 Series ES+ line cards provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only through Ethernet Virtual Connection Services (EVCS) service instances.

EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.

For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain traffic packets from one service instance to another. Filtering occurs before and after the rewrite to ensure that the packet goes only to the intended service instance.

You can use MPBE to:

•Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and Layer 2 bridging on the same physical port.

•Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can be in the same physical port or in different ports.

•Configure multiple service instances with different encapsulations and map them to a single bridge domain.

•Perform local switching between service instances under the same bridge domain.

•Perform local switching across different physical interfaces using service instances that are part of the same bridge domain.

•Replicate flooded packets from the core to all service instances under the bridge domain.

•Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain VLAN.

MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:

•Single tag termination

•Single tag tunneling

•Single tag translation

•Double tag termination

•Double tag tunneling

•Double tag translation

•Selective QinQ translation

Restrictions and Usage Guidelines

When configuring the MPBE over Ethernet on Cisco 7600 Series ES+ line cards, follow these restrictions and usage guidelines:

•Each service instance is considered as a separate circuit under the bridge-domain.

•Encapsulation can be dot1q or QinQ packets.

•440 MPB VCs are supported under one bridge-domain (110 per network processor).

•IGMP snooping is supported with MPB VCs as long as the service instance is terminated on the bridge-domain (must pop all tags, symmetric).

•Split Horizon is supported with MPB VCs..

•Untagged BPDU packets can be peered, dropped, or forwarded as data.

•Tagged BPDU packets can be dropped or forwarded as data.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. [no] service instance id {Ethernet [service-name]}

5. encapsulation dot1q vlan-id [second-dot1q vlan-id]

6. [no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

7. [no] bridge-domain bridge-id

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/port or interface tengigabitethernet slot/port Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: •slot/port—Specifies the location of the interface.
Step 4	[no] service instance id {Ethernet [service-name]} Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id [second-dot1q vlan-id] Example: Router(config-if-srv)# encapsulation dot1q 10	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	[no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag push dot1q 200 symmetric	This command specifies the tag manipulation that is to be performed on the frame ingress to the service instance. Note If this command is not configured, then the frame is left intact on ingress (the service instance is equivalent to a trunk port).
Step 7	[no] bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Examples

Single Tag Termination Example

In this example, the single tag termination indentifies customers based on a single VLAN tag and maps the single-VLAN tag to the bridge-domain.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 10 

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 12

Single Tag Tunneling Example

In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the packet.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 10

Router(config-if-srv)# bridge-domain 200

Single Tag Translation Example

In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to the packet.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 3/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 10

Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric

Router(config-if-srv)# bridge-domain 200

Double Tag Tunneling Example

In this double tag tunneling example, the incoming VLAN tags are not removed but continue with the packet.

Router# enable 

Router# configure terminal 

Router(config)# interface TenGigabitEthernet 1/1 

Router(config-if)# service instance 10 ethernet 

Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20 

Router(config-if-srv)# bridge-domain 200 

Double Tag Termination Configuration Example

In this double-tag termination example, the ingress receives double tags that identify the bridge VLAN; the double tags are stripped (terminated) from the packet.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 2/1

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 10 inner 20

Router(config-if-srv)# rewrite ingress tag pop 2 symmetric 

Router(config-if-srv)# bridge-domain 200

Router(config-if)# service instance 2

Router(config-if-srv)# encapsulation dot1q 40 inner 30

Router(config-if-srv)# rewrite ingress tag pop 2 symmetric 

Router(config-if-srv)# bridge-domain 200

Double-Tag Translation Configuration Example

In this example, double tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer-2-switched to the bridge-domain VLAN.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1		

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20

Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30 
symmetric

Router(config-if-srv)# bridge-domain 200

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 30

Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20 
symmetric

Router(config-if-srv)# bridge-domain 200

Selective QinQ Configuration Example

In this example, a range of VLANs is configured and plugged into a single MPB VC.

Router# enable

Router# configure terminal

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 10-20

Router(config-if-srv)# bridge-domain 200

Router(config)# interface TenGigabitEthernet 2/1				

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 10-20

Router(config-if-srv)# bridge-domain 200

Untagged Traffic Configuration Example

In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# no ip address

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation untagged

Router(config-if-srv)# bridge-domain 11

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# switchport

Router(config-if)# switchport mode trunk

Router(config-if)# switchport trunk allowed vlan 11

MPBE with Split Horizon Configuration Example

In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from which the traffic originated.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# no ip address

Router(config-if)# service instance 1000 ethernet

Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20

Router(config-if-srv)# bridge-domain 100 split-horizon

Router(config-if)# service instance 1001 ethernet

Router(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30

Router(config-if-srv)# bridge-domain 101 split-horizon

Router(config-if)# service instance 1010 ethernet

Router(config-if-srv)# encapsulation dot1q 100

Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10 
second-dot1q 100 symmetric

Router(config-if-srv)# bridge-domain 10 split-horizon

Router(config-if)# mls qos trust dscp

In this example, service instances are configured on Ethernet interfaces and terminated on the bridge domain.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 100 ethernet

Router(config-if-srv)# encapsulation dot1q 1000

Router(config-if-srv)# bridge-domain 10

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# switchport

Router(config-if)# switchport mode trunk

Router(config-if)# switchport trunk allowed vlan 10

Verification

Use the following commands to verify operation.

Command	Purpose
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]	Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC.
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]	Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface.
Router# show ethernet service interface [interface-id] [detail]	Displays information in the Port Data Block (PDB).
Router# show ethernet service instance summary	Displays overall EVC count as well as individual interface EVC count.

Backup Interface for Flexible UNI

The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices.

You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs are designated as primary and backup and have identical configurations. If the primary interface fails, the service is automatically transferred to the backup interface.

Figure 4-2 shows an example of how Flexible UNIs can be used when the Cisco 7600 series router is configured as a dual-homed N-PE (NPE1) and as a dual-homed U-PE (UPE2).

Figure 4-2 Backup Interface for Dual-Homed Devices

---

Note The configurations on the primary and backup interfaces must be identical.

---

The primary interface is the interface for which you configure a backup. During operation, the primary interface is active and the backup (secondary) interface operates in standby mode. If the primary interface goes down (due to loss of signal), the router begins using the backup interface.

While the primary interface is active (up) the backup interface is in standby mode. If the primary interface goes down, the backup interface transitions to the up state and the router begins using it in place of the primary. When the primary interface comes back up, the backup interface transitions back to standby mode. While in standby mode, the backup interface is effectively down and the router does not monitor its state or gather statistics for it.

This feature provides the following benefits:

•Supports the following Ethernet virtual circuit (EVC) features:

–Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged).

–Frame rewrite: Any supported (ingress and egress with push, pop, and translate) .

–Frame forwarding: MultiPoint Bridging over Ethernet (MPBE), xconnect, connect.

–Quality of Service (QoS) on EVC.

•Supports Layer 3 (L3) termination.

•Supports several types of uplinks: MultiProtocol Label Switching (MPLS), Virtual Private LAN Service (VPLS), and switchports.

The Backup Interface for Flexible UNI feature makes use of these Ethernet components:

•Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network. For more information about EVCs, see the "Flexible QinQ Mapping and Service Awareness" section.

•Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface. An EVC that uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of every device that the EVC passes through.

Restriction and Usage Guidelines

Observe these restrictions and usage guidelines as you configure a backup interface for Flexible UNI on the router:

•Hardware and software support:

–Supported on the Cisco 7600 Series ES+ line cards.

–Supported with the Route Switch Processor 720, Supervisor Engine 720, and Supervisor Engine 32.

–Requires Cisco IOS Release 12.2(33)SRD or later.

•You can use the same IP address on both the primary and secondary interfaces. This enables the interface to support L3 termination (single or double tagged).

•The configurations on the primary and backup interfaces must match. The router does not check that the configurations match; however, the feature does not work if the configurations are not the same.

---

Note If the configuration includes the xconnect command, you must specify a different VCID on the primary and backup interfaces.

---

•The duplicate resources needed for the primary and secondary interfaces are taken from the total resources available on the router and thus affect available resources. For example, each xconnect command consumes resources on both the primary and backup interfaces.

•Any features configured on the primary and backup interfaces (such as bridge-domain, xconnect, and connect commands) transition up or down as the interface itself transitions between states.

•Switchover time between primary and backup interfaces is best effort. The time it takes the backup interface to transition from standby to active mode depends on the link-state detection time and the amount of time needed for EVCs and their features to transition to the up state.

•Configuration changes and administrative actions made on the primary interface are automatically reflected on the backup interface.

•The router monitors and gathers statistics for the active interface only, not the backup. During normal operation, the primary interface is active; however, if the primary goes down, the backup becomes active and the router begins monitoring and gathering statistics for it.

•When the primary interface comes back up, the backup interface always transitions back to standby mode. Once the signal is restored on the primary interface, there is no way to prevent the interface from being restored as the primary.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type slot/port

4. backup interface type interface

---

Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the "Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards" section and the "Configuring Any Transport over MPLS" section on page 6-1.

---

5. (Optional) backup delay enable-delay disable-delay

6. (Optional) backup load enable-percent disable-percent

7. exit

8. (Optional) connect primary interface srv-inst interface srv-inst

9. (Optional) connect backup interface srv-inst interface srv-inst

10. (Optional) connect primary interface srv-inst1 interface srv-inst2

11. (Optional) connect backup interface srv-inst1 interface srv-inst2

12. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	Router(config)# interface type slot/port Example: Router(config)# interface gigabitethernet 3/1	Selects the primary interface. This is the interface you are creating a backup interface for. For example, interface gigabitEthernet 3/1 selects the interface for port1 of the Gigabit Ethernet card installed in slot 3. •type specifies the interface type. Valid values are gigabitethernet or tengigabitethernet. •slot/port specifies the location of the interface.
Step 4	Router(config-if)# backup interface type interface Example: Router(config)# backup interface gigabitethernet 4/1	Selects the interface to serve as a backup interface.
Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the "Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards" section and the "Configuring Any Transport over MPLS" section on page 6-1.
Step 5	Router(config-if)# backup delay enable-delay disable-delay Example: Router(config-if)# backup delay 0 0	(Optional) Specifies a time delay (in seconds) for enabling or disabling the backup interface. •enable-delay is the amount of time to wait after the primary interface goes down before bringing up the backup interface. •disable-delay is the amount of time to wait after the primary interface comes back up before restoring the backup interface to the standby (down) state Note For the backup interface for Flexible UNI feature, do not change the default delay period (0 0) or the feature may not work correctly.
Step 6	Router(config-if)# backup load enable-percent disable-percent Example: Router(config-if)# backup load 50 10	(Optional) Specifies the thresholds of traffic load on the primary interface (as a percentage of the total capacity) at which to enable and disable the backup interface. •enable-percent—Activate the backup interface when the traffic load on the primary exceeds this percentage of its total capacity. •disable-percent—Deactivate the backup interface when the combined load of both primary and backup returns to this percentage of the primary's capacity. Applying the settings from the example to a primary interface with 10-Mbyte capacity, the router enables the backup interface when traffic load on the primary exceeds 5 Mbytes (50%), and disables the backup when combined traffic on both interfaces falls below 1 Mbyte (10%).
Step 7	exit Example: Router(config-if)# exit	Exits interface configuration mode and returns to global configuration mode.
Step 8	Router(config)# connect primary interface srv-inst interface srv-inst Example: Router(config-if)# connect primary gi3/2 gi3/3	(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces. The connect primary command creates a connection between primary interfaces.
Step 9	Router(config)# connect backup interface srv-inst interface srv-inst Example: Router(config-if)# connect backup gi4/2 gi4/2	(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces. The connect backup command creates a connection between backup interfaces.
Step 10	Router(config)# connect primary interface srv-inst1 interface srv-inst2 Example: Router(config-if)# connect primary gi3/2 gi3/3	(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port. Use the connect primary command to create a connection on a primary interface.
Step 11	Router(config)# connect backup interface srv-inst1 interface srv-inst2 Example: Router(config-if)# connect backup gi4/2 gi4/3	(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port. Use the connect backup command to create a connection on a backup interface.
Step 12	exit Example: Router(config-if)# exit	Exits interface configuration mode.

The following example shows a sample configuration in which:

•gi3/1 is the primary interface and gi4/1 is the backup interface.

•Each interface supports two service instances (2 and 4), and each service instance uses a different type of forwarding (bridge-domain and xconnect).

•The xconnect command for service instance 2 uses a different VCID on each interface.

	Router# enable

Router# configure terminal

Router(config)# interface gi3/1

Router(config-if)# backup interface gi4/1

Router(config-if)# service instance 4 ethernet

Router(config-if-srv)# encapsulation dot1q 4

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 4

Router(config-if-srv)# exit

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 2

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# xconnect 10.0.0.0 2 encap mpls

Router(config)# interface gi4/1

Router(config-if)# service instance 4 ethernet

Router(config-if-srv)# encapsulation dot1q 4

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 4

Router(config-if-srv)# exit

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 2

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# xconnect 10.0.0.0 5 encap mpls

Verification

This section lists the commands to display information about the primary and backup interfaces configured on the router. In the examples that follow, the primary interface is gi3/1 and the secondary (backup) interface is gi3/11.

•To display a list of backup interfaces, use the show backup command in privileged EXEC mode. Our sample output shows a single backup (secondary) interface:

Router# show backup 

Primary Interface     Secondary Interface    Status

-----------------     -------------------    ------

GigabitEthernet 3/1  GigabitEthernet 3/11  normal operation

•To display information about a primary or backup interface, use the show interfaces command in privileged EXEC mode. Issue the command on the interface for which you want to display information. The following examples show the output displayed when the command is issued on the primary (gi3/1) and backup (gi3/11) interfaces:

Router# show interface gi3/1 

GigabitEthernet3/1 is up, line protocol is up (connected)

  Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)

  Backup interface GigabitEthernet 3/11, failure delay 0 sec, secondary disable delay 
0 sec, kickin load not set, kickout load not set

[...]

Router# show interface gi3/11 

GigabitEthernet3/11 is standby mode, line protocol is down (disabled)

If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as shown in the command output that follows. Notice how the command output changes if you reissue the show backup and show interfaces commands at this time: the show backup status changes, the line protocol for gi3/1 is now down (notconnect), and the line protocol for gi3/11 is now up (connected).

Router# !!! Link gi3/1 (active) goes down... 

22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down

22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/11, changed state to up

22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, 
changed state to down

22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/11, 
changed state to up

Router# show backup      

Primary Interface     Secondary Interface    Status

-----------------     -------------------    ------

GigabitEthernet3/1  GigabitEthernet3/11  backup mode

Router# show interface gi3/1 

GigabitEthernet3/1 is down, line protocol is down (notconnect)

  Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)

  Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 
sec,

Router# show interface gi3/11 

GigabitEthernet3/11 is up, line protocol is up (connected)

Example

Figure 4-3 shows a sample configuration of a backup interface for Flexible UNI. The configuration includes several EVCs (service instances), configured as follows:

•Service instance 4 is configured on primary and backup interfaces (links) that terminate in a bridge domain, with a VPLS uplink onto network provider edge NPE12.

•Service instance 2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS on NPE12.

Figure 4-3 Backup Interface for Flexible UNI Configuration

This is the configuration at NPE10:

interface ge2/4.4

  description npe10 to npe11 gi3/11 - backup - bridged

  encapsulation dot1q 4

  ip address 100.4.1.33 255.255.255.0

interface ge2/4.2

  description npe10 to npe11 gi3/11 - backup - xconnect

  encapsulation dot1q 2

  ip address 100.2.1.33 255.255.255.0

This is the configuration at NPE14:

interface ge1/3.4

  description npe14 to npe11 gi3/1 - primary - bridged

  encapsulation dot1q 4

  ip address 100.4.1.22 255.255.255.0

interface ge1/3.2

  description npe14 to npe11 gi3/1 - primary - xconnect

  encapsulation dot1q 2

  ip address 100.2.1.22 255.255.255.0 

This is the configuration at 72a, at the user-facing provider edge (U-PE):

interface fa1/0.4

  description 72a to npe12 - bridged

  encapsulation dot1q 4

  ip address 100.4.1.12 255.255.255.0

interface fa1/0.2

  description 72a to npe12 - xconnect

  encapsulation dot1q 2

  ip address 100.2.1.12 255.255.255.0 

This is the configuration at NPE11:

interface gigabitEthernet 3/1

  backup interface gigabitEthernet 3/11

  service instance 2 ethernet

    encapsulation dot1q 2

    rewrite ingress tag pop 1 symmetric

    xconnect 12.0.0.1 2 encapsulation mpls

  service instance 4 ethernet

    encapsulation dot1q 4

    rewrite ingress tag pop 1 symmetric

    bridge-domain 4

interface gigabitEthernet 3/11

  service instance 2 ethernet

    encapsulation dot1q 2

    rewrite ingress tag pop 1 symmetric

    xconnect 12.0.0.1 21 encapsulation mpls

  service instance 4 ethernet

    encapsulation dot1q 4

    rewrite ingress tag pop 1 symmetric

    bridge-domain 4

This is the configuration at NPE12:

interface GE-WAN 4/3

  description npe11 to npe12

  ip address 10.3.3.1 255.255.255.0

  mpls ip

l2 vfi vlan4 manual

  vpn id 4

  neighbor 12.0.0.1 4 encapsulation mpls

interface Vlan 4

  xconnect vfi vlan4 

l2 vfi vlan4 manual

  vpn id 4

  neighbor 11.0.0.1 4 encap mpls

interface Vlan4

  description npe12 to npe11 xconnect

  xconnect vfi vlan4

l2 vfi vlan2 manual

  vpn id 2

  neighbor 11.0.0.1 2 encap mpls

  neighbor 11.0.0.1 21 encap mpls

interface Vlan2

  xconnect vfi vlan2

interface GE-WAN 9/4

  description npe12 to npe11

  ip address 10.3.3.2 255.255.255.0

  mpls ip

interface fastEthernet 8/2

  description npe12 to 72a

  switchport

  switchport trunk encap dot1q

  switchport mode trunk

  switchport trunk allowed vlan 2-4

The primary interface is enabled:

NPE 11# show backup

Primary interface Secondary interface Status

--------------------------------------------

GigabitEthernet3/1GigabitEthernet3/11 normal operation

NPE-11#sh int gi3/1

GigabitEthernet3/1 is up, line protocol is up (connected)

Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)

Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 
sec,kicking load not set, kickout load not set,

[...]

NPE-11# show interface gi3/11

GigabitEthernet 3/11 is standby mode, line protocol is down (disabled)

The primary link is disabled:

NPE 11#!!!Link gi3/1 (active) goes down

22:11:11: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to down

22:11:12: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to up

22:11:12: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/1, 
changed state to down

22:11:13: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/11, 
changed state to up

NP-11# show backup

Primary interface Secondary interface Status

--------------------------------------------

GigabitEthernet3/1GigabitEthernet3/11 backup mode

NP-11#sh int gi3/1

GigabitEthernet3/1 is down, line protocol is down (notconnect)

Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)

Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec

NPE-11#sh int gi3/11

GigabitEthernet 3/11 is up, line protocol is up (connected)

EVC On Port-Channel

An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links.The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.

For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see Configuring EtherChannels at http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/software/122sr/swcg/channel.htm.

The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types.

Load balancing is accomplished on a Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links.

Restrictions and Usage Guidelines

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:

•All member links of the port-channel are on Cisco 7600-ES+ line cards.

•Bridge-domain, xconnect, connect EVCs, switchports, and IP subinterfaces are allowed over the port-channel interface and the main interface.

---

Note For a port with a switchport, you can use the service instance ethernet command to create a service instance to support OAM requirements but not for data traffic.

---

•If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.

•A physical port that is part of an EVC port-channel cannot have switchport configuration.

•Statically configuring port-channel membership with LACP is not supported.

•You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS, page 7-1.

•You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policymaps or in parent of HQoS policymaps.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel number

4. [no] ip address

5. [no] service instance id Ethernet [service-name]

6. encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

8. [no] bridge-domain bridge-id or xconnect vfi vfi name

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface port-channel number Example: Router(config)# interface port-channel 11	Creates the port-channel interface.
Step 4	[no] ip address Example: Router(config-if)# no ip address	Assigns an IP address and subnet mask to the EtherChannel.
Step 5	[no] service instance id Ethernet [service-name} Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 6	encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]} Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 7	rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric	Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
Step 8	[no] bridge-domain bridge-id or xconnect vfi vfi name Example: Router(config-if-srv)# bridge-domain 12 or Router(config-if)# xconnect vfi vfi16	The bridge-domain command binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance. The xconnect command specifies the Layer 2 VFI that you are binding to the VLAN port.

Examples

In this example, a single port-channel interface is created with three possible member links from slots 1 and 2:

Router# enable

Router# configure terminal

Router(config)# interface Port-channel5

Router(config-if)# no shutdown

Router(config-if)# no ip address

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 350

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 350

!

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 400

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 350

Router(config-if)# service instance 3 ethernet

Router(config-if-srv)# encapsulation dot1q 500

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 370

!

Router(config)# interface Port-channel5.1

Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300

Router(config-if)# ip address 60.0.0.1 255.0.0.0

!

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# channel-group 5 mode on

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# channel-group 5 mode on

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# channel-group 5 mode on

Here is a typical QoS configuration.

Router# enable

Router# configure terminal

Router(config)# interface port-channel10

Router(config-if)# no ip address

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 11

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if)# service-policy input x

Router(config-if)# service-policy output y

Router(config-if-srv)# bridge-domain 1500

Verification

Use the following commands to verify operation.

Command	Purpose
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]	Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]	Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.
Router# show ethernet service interface [interface-id] [detail]	Displays information in the Port Data Block (PDB).
Router# show mpls l2 vc detail	Displays detailed information related to the virtual connection (VC).
Router# show mpls forwarding	Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB). Note Output should have the label entry l2ckt.
Router# show etherchannel summary	Displays view all EtherChannel groups states and ports.
Router# show policy-map interface service instance	Displays the policy-map information for a given service instance.

LACP Support for EVC Port Channel

An Ethernet link bundle or port-channel is an aggregation of up to eight physical Ethernet links to form a single logical link for L2/L3 forwarding. Bundled Ethernet ports are used to increase the capacity of the logical link and provide high availability and redundancy. The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.

For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see "Configuring EtherChannels" at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/channel.html.

The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types. IEEE 802.3ad/Link Aggregation Control Protocol (LACP) provides an association of port-channels. The LACP support for EVC Port Channel feature supports service instances over bundled Ethernet links.

Ethernet flow points (EFPs) are configured under a port-channel. The traffic, carried by the EFPs, is load-balanced across member links. EFPs under a port-channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for an EFP uses only one of the member links. Load balancing is achieved by grouping EFPs and assigning them to a member link.

The scalability for a link-bundling EVC is 8k per chassis. Port Channel EVC scalability for ES+ line cards is dependent on the same factors as EVCs configured under physical interfaces, with the number of member links and their distribution across the Tridents as an additional parameter. EVC port-channel QoS leverages EVC QoS infrastructure.

Restrictions and Usage Guidelines

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:

•All member links of the port-channel are on Cisco 7600-ES+ line cards.

•Only bridge-domain, xconnect, connect EVCs, and IP subinterfaces are allowed over the port-channel interface. You cannot apply a switchport and EVC configuration under the same port-channel interface.

•If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.

•A physical port that is part of an EVC port-channel cannot have switchport configuration.

•Port channel membership is statically configured with LACP allowed in the next phase.

•You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS, page 7-1.

•You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policymaps or in parent of HQoS policymaps.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface port-channel

4. [no] ip address

5. service instance id Ethernet [service-name]

6. encapsulation dot1q vlan-id

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

8. [no] bridge-domain bridge-id

9. channel-protocol {lacp | pagp}

10. channel-group channel-group-number mode {active | on | passive}

---

Note The channel-group command options on/off are applicable when configuring port-channel over EVC and the options active/passive are applicable when configuring port-channel over EVC with LACP

---

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface port-channel number Example: Router(config)# interface port-channel 12	Creates the port-channel interface.
Step 4	[no] ip address Example: Router(config-if)# no ip address	Assigns an IP address and subnet mask to the EtherChannel.
Step 5	[no] service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 6	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used to map ingress dot1q frames on an interface to the appropriate service instance.
Step 7	rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric	Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
Step 8	[no] bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 9	channel-protocol {lacp | pagp} Example: Router(config-if)# channel-protocol lacp	Sets the protocol that is used on an interface to manage channeling.
Step 10	channel-group channel-group-number mode {active | on | passive} Example: Router(config-if)# channel-group 5 mode active	Assigns and configures an EtherChannel interface to an EtherChannel group.

Examples

In this example, a single port-channel interface is created with three possible member links from slots 1 and 2:

Router# enable

Router# configure terminal

Router(config)# interface Port-channel5

Router(config-if)# no ip address

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 350

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 350

 !

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 400

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 350

Router(config-if)# service instance 3 ethernet

Router(config-if-srv)# encapsulation dot1q 500

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# bridge-domain 370

 !

Router# enable

Router# configure terminal

Router(config)# interface Port-channel5.1

Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300

Router(config-if)# ip address 60.0.0.1 255.0.0.0

!

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# channel-protocol lacp 

Router(config-if)# channel-group 5 mode active 

Router(config)# interface GigabitEthernet 1/3 

Router(config-if)# channel-protocol lacp 

Router(config-if)# channel-group 5 mode active 

Router(config)# interface GigabitEthernet 2/1 

Router(config-if)# channel-protocol lacp 

Router(config-if)# channel-group 5 mode active 

Here is a typical QoS configuration.

Router# enable

Router# configure terminal

Router(config)# interface port-channel10

Router(config-if)# no ip address

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 11

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if)# service-policy input x

Router(config-if)# service-policy output y

Router(config-if-srv)# bridge-domain 1500

Here is the configuration for LACP over a configured EVC port-channel, under an interface:

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# channel-protocol lacp

Router(config-if)# channel-group 5 mode ?

Router(config-if)# channel-group 5 mode active

Router(config-if)# channel-group 5 mode passive 

Here is a port-channel configuration:

Router# enable

Router# configure terminal

Router(config-if)# interface Port-channel102

Router(config-if)# mtu 9216

Router(config-if)# no ip address

Router(config-if)# lacp fast-switchover

Router(config-if)# lacp max-bundle 1

Router(config-if)# service instance 50 ethernet

Router(config-if)# encapsulation dot1q 50

Router(config-if)# rewrite ingress tag pop 1 symmetric

Router(config-if)# service-policy output lacp-parent

Router(config-if)# bridge-domain 50

Here is a member links configuration:

Router# enable

Router# configure terminal

Router(config-if)# interface GigabitEthernet 3/12

Router(config-if)# mtu 9216

Router(config-if)# no ip address

Router(config-if)# lacp rate fast

Router(config-if)# channel-protocol lacp

Router(config-if)# channel-group 102 mode active

Verification

Use the following commands to verify operation.

Command	Purpose
Use the following commands to verify EVC configuration
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]	Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC.
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]	Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface.
Router# show ethernet service interface [interface-id] [detail]	Displays information in the Port Data Block (PDB).
Use the following commands to verify LACP over EVC
Router# show etherchannel 15 port-channel	Displays details for port-channel 15. This command is common to EVC port-channel, switchport port-channel, and Layer 3 port-channel. The CLI is run at the RP.

DHCP Snooping with Option-82 on EVC

DHCP snooping determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages traffic from untrusted sources.

To do this, DHCP snooping dynamically builds and maintains the DHCP snooping database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

Each entry in the DHCP snooping database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Additionally, the DHCP Snooping with Option-82 feature can centrally manage the IP address assignments for a large number of subscribers. When the DHCP Snooping with Option-82 feature is enabled on the router, a subscriber device is identified by the router port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router and are uniquely identified.

However, EVCs require additional information. If each EVC on an interface mapped to a single VPN, it would be possible to use the internal VLAN to identify the path for reply packets. However, because multiple EVCs with different encapsulations can map to the same VPN, it is necessary to use the actual EVC encapsulation to tell them apart.

The DHCP Snooping with Option-82 on EVC feature allows the user to provide this additional information required for EVC-enabled interfaces. This information is inserted into the option 82 and is also stored in the binding table for retrieval by other services.

You can use the ip dhcp relay information option subscriber-id command to configure a subscriber string for an EVC that can be inserted into the option 82 field along with other information when relaying the DHCP packets to the server. The server can parse the option 82 information to match the subscriber string and act accordingly. The subscriber string configured for an EVC will not be stored in the binding table and is only used when sending DHCP packets to the server by inserting into the option 82 field.

For additional information on DHCP Snooping and Option-82 on the Cisco 7600 router, see Configuring DHCP Snooping at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/snoodhcp.html.

Restrictions and Usage Guidelines

When configuring DHCP Snooping with Option-82, follow these restrictions and usage guidelines:

•DHCP snooping is configured and running.

•An EVC with multiple encapsulations is not supported.

•The following EVCs are supported on the same interface and bridge-domain:

–dot1q encapsulation

–q-in-q encapsulation

–untagged encapsulation

•The number of EVCs supported per port is 4k.

•The number of EVCs supported per router is 32k.

•Multiple EVCs are supported on the same port, all having the same or different bridge domains.

•Multiple EVCs are supported on different ports, all having the same or different bridge domains.

•With Cisco IOS Release 12.2(33)SRE, DHCP snooping with Option 82 is supported on EVC port-channels.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface port-channel number

4. [no] ip address

5. negotiation {forced | auto}

6. service instance id Ethernet [service-name]

7. encapsulation dot1q vlan-id

8. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

9. ip dhcp relay information option subscriber-id value

10. [no] bridge-domain bridge-id

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	no ip address Example: Router# Router(config-if)# no ip address	Removes an IP address or disables IP processing.
Step 5	negotiation {forced | auto} Example: Router(config-if)# negotiation auto	Enable advertisement of speed, duplex mode, and flow control on a Gigabit Ethernet interface.
Step 6	[no] service instance id Ethernet [service-name} Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 7	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 8	rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric	Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
Step 9	ip dhcp relay information option subscriber-id value Example: Router(config)# ip dhcp relay information option subscriber-id 123	Configures a subscriber string that uniquely identifies the interface from which the DHCP packets are coming.
Step 10	[no] bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Example

This example shows a typical configuration on the relay agent and the server. The following is a configuration on the relay agent:

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet8/1

Router(config-if)# no ip address

Router(config-if)# negotiation auto

Router(config-if)# service instance 2 ethernet

Router(config-if-srv)# encapsulation dot1q 2

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

  ip dhcp relay information option subscriber-id 11

Router(config-if-srv)# bridge-domain 100

Router(config)# interface Vlan100

Router(config-if)# ip address 10.0.0.1 255.255.255.0

Router(config-if)# ip helper-address global 20.0.0.2

Router(config-if)# ip helper-address 20.0.0.2

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# ip dhcp snooping packets

Router(config-if)# ip address 20.0.0.1 255.255.255.0

Router(config-if)# negotiation auto

!

This is the configuration on the server

:

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 1/1

Router(config-if)# ip address 20.0.0.2 255.255.255.0

Router(config-if)# negotiation auto

Router(config-if)# end

Router(config)# ip dhcp pool pool1

Router(dhcp-config)# network 10.0.0.0 255.255.0.0

   lease 2

Router(dhcp-config)# update arp

   class C1

      address range 10.0.0.2 10.0.0.10

   class C2

      address range 10.0.0.11 10.0.0.20

!

Router(config)# ip dhcp pool pool2

Router(config)# network 11.0.0.0 255.255.0.0 lease 2

!

Router(config)# ip dhcp pool pool3

   vrf vrf1

Router(config)# network 10.0.0.0 255.255.255.0 lease 0 0 2

!

!

ip dhcp class C1 <-----------Class C1 maps to the subcriber-id string aabb11.

   relay agent information

      relay-information hex 00000000000000000000000000000006616162623131 mask 
fffffffffffffffffffffffffffffff0000000000000

!

ip dhcp class C2

   relay agent information

      relay-information hex 00000000000000000000000000000006313162626161 mask 
fffffffffffffffffffffffffffffff0000000000000

******************************************************************************************

Verification

Use the following commands to verify operation.

Command	Purpose
Router# show ip dhcp snooping	Displays all VLANs (both primary and secondary) that have DHCP snooping enabled.
Router# show ip dhcp snooping binding	Checks the DHCP snooping database.

IP Source Guard for Service Instance

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the service instance is blocked except for DHCP packets that are captured by DHCP snooping. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, the IP Source Guard for Service Instance feature automatically creates an access control list (ACL) to permit that traffic. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.

Restrictions and Usage Guidelines

When configuring IP Source Guard for Service Instance, follow these restrictions and usage guidelines:

•Like other TCAM features, the number of ACLs and ACEs that can be configured as part of IP Source Guard are bounded by the hardware resources on the line card. The available TCAM resources are shared by various features that are configured on the line card.

•IP Source Guard feature is meant to verify host source IP and MAC information. Only ingress traffic is filtered. It is not applicable to egress direction.

•IP Source Guard is not effective for software forwarded packets. When a non-recoverable TCAM exception occurs for the IP Source Guard, the IP filtering will not be effective and packets will be permitted.

•IP Source Guard feature is not supported on subinterfaces.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. [no] ip address

5. service instance id Ethernet [service-name]

6. encapsulation dot1q vlan-id

7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric

---

Note In order for the router to distinguish if the packet is DHCP, all tags must be pop; push and translate are not supported with the IP Source Guard for Service Instance feature.

---

8. ip verify source vlan dhcp-snooping [port-security]

9. [no] bridge-domain bridge-id

10. exit

11. end )

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/port or interface tengigabitethernet slot/port Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: •slot/port—Specifies the location of the interface.
Step 4	[no] ip address Example: Router(config-if)# no ip address	Removes an IP address or disable IP processing.
Step 5	[no] service instance id Ethernet [service-name} Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 6	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 7	rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric Example: Router(config-if-srv)# rewrite ingress tag pop 1 symmetric	Specifies the tag manipulation that is to be performed on the frame ingress to the service instance. Note In order for the router to distinguish if the packet is DHCP, all tags must be pop; push and translate are not supported with the IP Source Guard for Service Instance feature.
Step 8	ip verify source vlan dhcp-snooping [port-security] Example: Router(config-if-srv)# ip verify source vlan dhcp-snooping	Enables IP Source Guard states. The following are the command options: •vlan dhcp-snooping enables IP mode and applies the feature to only specific VLANs on the interface. The dhcp-snooping option applies the feature to all VLANs on the interface that have DHCP snooping enabled. •port-security enables IP/MAC mode and applies both IP and MAC filtering.
Step 9	[no] bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 10	exit Example: Router(config-if)# exit	Returns to global configuration mode.
Step 11	end Example: Router(config)# end	Exits configuration mode.

Example

This is an example of an EVC single tag (Dot1q) configuration:

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet7/1

Router(config-if)# no ip address

Router(config-if)# service instance 71 ethernet

Router(config-if-srv)# encapsulation dot1q 71

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# ip verify source vlan dhcp-snooping

Router(config-if-srv)# bridge-domain 10

This is an example of an EVC double tagged (QinQ) configuration:

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet7/1

Router(config-if)# no ip address

Router(config-if)# service instance 71 ethernet

Router(config-if-srv)# encapsulation dot1q 71 second-dot1q 100

Router(config-if-srv)# rewrite ingress tag pop 1 symmetric

Router(config-if-srv)# ip verify source vlan dhcp-snooping

Router(config-if-srv)# bridge-domain 10

This is an example of an EVC untagged configuration:

Router# enable

Router# configure terminal

interface GigabitEthernet7/1

no ip address

 service instance 71 ethernet

  encapsulation untagged

  ip verify source vlan dhcp-snooping

  bridge-domain 10

This is an example of an EVC default configuration:

Router# enable

Router# configure terminal

interface GigabitEthernet7/1

no ip address

 service instance 71 ethernet

  encapsulation default

  ip verify source vlan dhcp-snooping

  bridge-domain 10

Verification

Use the show ip verify source interface to verify the configuration:

router# show ip verify source interface gi5/1 efp_id 10

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan        EFP 
ID

---------    -----------    -----------      ---------------     -----------------     
----------  ----------

Gi5/1 ip-mac       active           123.1.1.1        00:0A:00:0A:00:0A  100      10  

router# show ip verify source interface gi5/1

Interface  Filter-type  Filter-mode  IP-address       Mac-address          Vlan        EFP 
ID

---------    -----------    -----------      ---------------     -----------------       
----------  ----------

Gi5/1 ip-mac       active          123.1.1.1        00:0A:00:0A:00:0A  100        10  

Gi5/1 ip-mac       active          123.1.1.2        00:0A:00:0A:00:0B  100        20  

Gi5/1 ip-mac       active          123.1.1.3        00:0A:00:0A:00:0C  100        30  

Configuring MST on EVC Bridge Domain

The MST on EVC Bride Domain feature enables Multiple Spanning Tree (MST) on EVC interfaces. It complements the H-VPLS N-PE Redundancy for QinQ and MPLS Access feature released in Cisco IOS Release 12.2(33)SRC. For more information on this feature, see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html.

This section describes how to configure MST on EVC Bridge Domain. It contains the following topics:

•Overview of MST and STP

•Overview of MST on EVC Bridge Domain

•Restrictions and Usage Guideline

•Examples

Overview of MST and STP

Spanning Tree Protocol (STP) is a Layer 2 link-management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.

Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis.

Multiple Spanning Tree (MST) maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).

For routers to participate in MST instances, you must consistently configure the routers with the same MST configuration information. A collection of interconnected routers that have the same MST configuration comprises an MST region. For two or more routers to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same MST name.

The MST configuration controls the MST region to which each router belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map.

A region can have one or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree instance at a time.

For additional information on STP and MST on the Cisco 7600 series routers, see Configuring STP and MST at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/spantree.html#wp1101938.

Overview of MST on EVC Bridge Domain

The MST on EVC Bride-Domain feature uses VLAN IDs for service-instance-to-MST-instance mapping. EVC service instances with the same VLAN ID (the outer VLAN IDs in the QinQ case) as the one in another MST instance will be mapped to that MST instance.

EVC service instances can have encapsulations with a single tag as well as double tags. In case of double tag encapsulations, the outer VLAN ID shall be used for the MST instance mapping, and the inner VLAN ID is ignored.

A single VLAN per EVC is needed for the mapping with the MST instance. The following service instances without any VLAN ID or with multiple outer VLAN IDs are not supported:

•Untagged (encapsulation untagged)

•Priority-tagged (encapsulation priority-tagged)

•Default (encapsulation default)

•Multiple outer tags (encapsulation dot1q 200-400 second-dot1q 300)

Restrictions and Usage Guideline

When configuring MST on EVC Bridge Domain, follow these restrictions and usage guidelines:

•Main interface where the EFP is configured must be up and running with MSTP as the selected Spanning Tree Mode (PVST and Rapid-PVST are not supported).

•The SPT PortFast feature is not supported with EFPs.

•Any action performed on VPORT (which represents a particular VLAN in a physical port) affects the bridge domain and other services.

•This feature cannot coexist with Ethernet Bridging on FR/ATM that support only PVST.

•Supports 64 MSTs and 1 CIST (common and internal spanning tree).

•Supports 1 MST region.

•Scales to 32k EFP.

•Does not support EVC port-channels.

•EVC service instances without any VLAN ID in the encapsulation are not supported.

•Supports EFPs with unambigous outer VLAN tag (that is, no range, list on outer VLAN, no default nor untagged).

•Supports Cisco 7600 Series ES+ line cards only.

•Removal of dot1q encapsulation will remove the EVC port from MST.

•When you configure multiple service instances under the same port with the same outer VLAN, the action will affect all service instances with same outer VLAN.

•The same outer VLAN cannot be configured under different EVC service instances under the same interface.

•Changing VLAN (outer encapsulation VLAN of EVC) mapping to a different MST instance will move the EVC port to the new MST instance.

•Changing the outer encapsulation on the EFP changes the corresponding MST instance (The change in the outer VLAN changes the MST instance that the EFP was mapped to).

•Changing an EVC service instance to a VLAN that has not been defined in MST 1 will result in mapping of EVC port to MST 0.

•The peer router of the EVC port must also be running MST.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. [no] bridge-domain bridge-id

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/port or interface tengigabitethernet slot/port Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: •slot/port—Specifies the location of the interface.
Step 4	[no] service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	[no] bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.

Examples

In the following example, the two interfaces will now participate in MST instance 0, the default instance to which all VLANs are mapped:

Router# enable

Router# configure terminal

Router(config)# interface g4/1

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 2

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# interface g4/3

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encapsulation dot1q 2

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# end

Verification

Run the following command to verify:

Router# show spanning-tree vlan 2 

MST0

  Spanning tree enabled protocol mstp

  Root ID    Priority    32768

             Address     0009.e91a.bc40

             This bridge is the root

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32768  (priority 32768 sys-id-ext 0)

             Address     0009.e91a.bc40

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi4/1 		 			Desg FWD 20000     128.1537 P2p 

Gi4/3             		 Back BLK 20000     128.1540 P2p 

In the following example, interface gi4/1 and interface gi4/3 are connected back-to-back. Each has a service instance (EFP) attached to it. The EFP on both interfaces has an encapsulation VLAN ID of 2. Changing the VLAN ID from 2 to 8 in the encapsulation directive for the EFP on interface gi4/1 stops the MSTP from running in the MST instance to which the old VLAN is mapped and starts the MSTP in the MST instance to which the new VLAN is mapped:

Router(config-if)# interface  g4/1

Router(config-if)# service instance 1 ethernet

Router(config-if-srv)# encap dot1q 8

Router(config-if-srv)# end

Run the following command to verify:

Router# show spanning-tree vlan 2

MST1

  Spanning tree enabled protocol mstp

  Root ID    Priority    32769

             Address     0009.e91a.bc40

             This bridge is the root

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)

             Address     0009.e91a.bc40

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi4/3             Desg FWD 20000     128.1540 P2p 

Router# show spanning-tree vlan 8

MST2

  Spanning tree enabled protocol mstp

  Root ID    Priority    32770

             Address     0009.e91a.bc40

             This bridge is the root

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)

             Address     0009.e91a.bc40

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi4/1 					Desg FWD 20000     128.1537 P2p

In the following example, interface gi4/3 with an EFP that has an outer encapsulation VLAN ID of 2 and a bridge domain of 100 receives a new service:

Router# enable

Router# configure terminal

Router(config)# interface g4/3

Router((config-if)# service instance 2 ethernet

Router((config-if-srv)# encap dot1q 2 second-dot1q 100

Router((config-if-srv)# bridge-domain 200

Now there are two EFPs configured on interface gi4/3 and both of them have the same outer VLAN 2.

interface GigabitEthernet4/3

	 no ip address

	service instance 1 ethernet

	encapsulation dot1q 2

	bridge-domain 100

 !

 service instance 2 ethernet

  encapsulation dot1q 2 second-dot1q 100

   bridge-domain 200

The preceding configuration does not affect the MSTP operation on the interface; there is no state change for interface gi4/3 in the MST instance it belongs to.

Router# show spanning-tree mst 1  

##### MST1    vlans mapped:   2

Bridge        address 0009.e91a.bc40  priority      32769 (32768 sysid 1)

Root          this switch for MST1

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi4/3          Desg FWD 20000     128.1540 P2p

MAC Address Security for EVC Bridge Domain

Cisco 7600 series routers currently support port security on a per-port basis. For more information, see Configuring Port Security at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/port_sec.html.

The Media Access Control (MAC) Address Security for EVC Bridge Domain feature addresses port security with EVCs by providing the capability to control and filter MAC address learning behavior at the granularity of a per-EFP basis. For instance, when a violation requires a shutdown, only the customer assigned to a given EFP is affected rather than all customers using the port.

Port Security and the MAC Address Security for EVC Bridge Domain feature operate independently of each other. From the point of view of MAC Security, a secured port is not secure. From the point of view of Port Security, a secured EFP is not secure.

Cisco IOS Release 12.2(33)SRE adds support for MAC address security on EVC port-channels.This feature operates on a port-channel interface in a similar manner to how it works on a physical port. In each case, MAC security is configured on a service instance associated with a bridge domain. In the port-channel case, the service instance is configured on the port-channel rather than on a single physical port.

This section contains the following topics:

•Restrictions and Usage Guideline

•Enabling MAC Address Security for EVC Bridge Domain

•Enabling MAC Address Security for EVC Bridge Domain

•Disabling MAC Address Security for EVC Bridge Domain on an EFP

•Configuring MAC Address Whitelist on an EFP

•Configuring Sticky MAC Addresses on an EFP

•Configuring Secure MAC Address Aging on an EFP

•Configuring MAC Address Limiting on EFP

•Configuring MAC Address Limiting on a Bridge Domain

•Configuring Violation Response on an EFP

Restrictions and Usage Guideline

When configuring MAC Address Security for EVC Bridge Domain, follow these restrictions and usage guidelines:

•System wide, the following limits apply to the total configured whitelist and learned MAC addresses:

–Total number of MAC addresses supported under MAC Security is limited to 32K.

–Total number of MAC addresses supported under MAC Security, per bridge domain, is limited to 10K.

–Total number of MAC addresses supported under MAC Security, per EFP, is limited to 1K.

•You can configure or remove the various MAC security elements irrespective of whether MAC security is enabled on the EFP. However, these configurations will become operational only after MAC security is enabled.

•Upon enabling the MAC Address Security for EVC Bridge Domain feature, existing MAC address table entries on the EFP are removed.

•The MAC Address Security for EVC Bridge Domain feature can be configured on an EFP only if the EFP is a member of a bridge domain.

•Currently, when MAC security is configured under a service instance, all packets received on the secured EFP get the DIL/DNL bits set in the DBUS header. For port-channel, this configuration is propagated to all member links in the port-channel. Consistent with the already implemented bridge domain EVC port-channel functionality, packets on a secured EFP may be received on any member link, but all egress packets are sent out one selected member link.

Enabling MAC Address Security for EVC Bridge Domain

This section describes how to enable MAC address security for EVC bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port [.subinterface-number] or interface tengigabitethernet slot/subslot/port [.subinterface-number] or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 7	mac security Example: Router(config-if-srv)# mac security	Enables MAC Security on the EFP.

Examples

This example shows how to enable MAC address security for EVC bridge domain.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-srv)# encapsulation dot1q 20

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# mac security

Disabling MAC Address Security for EVC Bridge Domain on an EFP

This section describes how to disable MAC address security for EVC bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port [.subinterface-number] or interface tengigabitethernet slot/subslot/port [.subinterface-number] or interface port-channel number

4. service instance id Ethernet [service-name]

5. no mac security

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	no mac security Example: Router(config-if-srv)# no mac security	Disables MAC Security on the EFP.

Examples

This example shows how to disable MAC address security for EVC bridge domain.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# no mac security

Configuring MAC Address Whitelist on an EFP

This section describes how to configure whitelisted MAC addresses on an EFP that is a member of a bridge domain.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port [.subinterface-number] or interface tengigabitethernet slot/subslot/port [.subinterface-number] or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security address permit mac address

8. mac security

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 7	mac security address permit mac address Example: Router(config-if-srv)# mac security address permit 0000.1111.2222	Adds the specified MAC Address as a whitelist ("permit") MAC Address for the EFP.
Step 8	mac security Example: Router(config-if-srv)# mac security	Enables MAC Security on the EFP.

Examples

This example shows how to configure whitelisted MAC addresses on an EFP that is a member of a bridge domain.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-srv)# encapsulation dot1q 20

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# mac security address permit 0000.1111.2222

Router(config-if-srv)# mac security

Configuring Sticky MAC Addresses on an EFP

MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition. This section describes how to configure sticky MAC addresses on an EFP.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port [.subinterface-number] or interface tengigabitethernet slot/subslot/port [.subinterface-number] or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security sticky

8. mac security

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 7	mac security sticky Example: Router(config-if-srv)# mac security sticky	Enables sticky behavior on the EFP.
Step 8	mac security Example: Router(config-if-srv)# mac security	Enables MAC Security on the EFP.

Examples

This example configures sticky MAC addresses on an EFP.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 20

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# mac security sticky

Router(config-if-srv)# mac security

Configuring Secure MAC Address Aging on an EFP

This section shows how to configure aging of secured MAC addresses under MAC Security. Secured MAC addresses are not subject to the normal aging of MAC table entries in the system. If aging is not configured, secured MAC addresses are never aged out.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port [.subinterface-number] or interface tengigabitethernet slot/subslot/port [.subinterface-number] or interface port-channel number

4. service instance id Ethernet [service-name]

5. encapsulation dot1q vlan-id

6. bridge-domain bridge-id

7. mac security aging time m [inactivity]

8. mac security

DETAILED STEPS

	Command	Purpose
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] or interface port-channel number Example: Router(config)# interface gigabitethernet 4/1	Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
Step 4	service instance id Ethernet [service-name] Example: Router(config-if)# service instance 101 ethernet	Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
Step 5	encapsulation dot1q vlan-id Example: Router(config-if-srv)# encapsulation dot1q 13	Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
Step 6	bridge-domain bridge-id Example: Router(config-if-srv)# bridge-domain 12	Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
Step 7	mac security aging time m [inactivity] Example: Router(config-if-srv)# mac security aging time 200	Sets the aging time for secure addresses to m minutes. The optional inactivity keyword specifies that the aging out of addresses is based on inactivity of the sending hosts (as opposed to absolute aging).
Step 8	mac security Example: Router(config-if-srv)# mac security	Enables MAC Security on the EFP.

Examples

This example shows how to configure the aging time for secure addresses to 10 minutes.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 20

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# mac security aging time 10

Router(config-if-srv)# mac security

This example shows a configuration where the aging out of addresses is based on inactivity of the sending hosts. An address will age out if it is not seen for 10 minutes.

Router# enable

Router# configure terminal

Router(config)# interface GigabitEthernet 2/1

Router(config-if)# service instance 10 ethernet

Router(config-if-srv)# encapsulation dot1q 20

Router(config-if-srv)# bridge-domain 100

Router(config-if-srv)# mac security aging time 10 inactivity

Router(config-if-srv)# mac security

The mac security aging time command only ages out secure addresses that are learned. To enable aging out of whitelist or sticky addresses when the mac security aging time command is configured, use the mac security aging static command (applies aging controls to statically configured addresses) or the mac security aging sticky command (applies aging controls to persistent, that is, sticky, addresses). The configuration below shows an example of applying aging to a sticky address.

Router# enable

Router# configure terminal 

Router(config)# interface GigabitEthernet 1/1 

Router(config-if)# service instance 10 ethernet 

Router(config-if-srv)# encapsulation dot1q 10 

Router(config-if-srv)# bridge-domain 100 

Router(config-if-srv)# mac security 

Router(config-if-srv)# mac security sticky 

Router(config-if-srv)# mac security aging time 100 

Configuring MAC Address Limiting on EFP

This section describes how to configure an upper limit for the number of secured MAC addresses allowed on an EFP. This includes addresses added as part of a whitelist, as well as dynamically learned MAC addresses. If the upper limit is decreased, one or more learned MAC entries may be removed. The default limit is 1.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port