-
Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) Line Card Configuration Guide
-
Preface
-
Overview of the Cisco 7600 Series Ethernet Services 40G Line Card
-
Configuring the Cisco 7600 Series Ethernet Services 40G Line Card
-
Configuring High Availability Features
-
Configuring Layer 1 and Layer 2 Features
-
Configuring Multicast Features
-
Configuring MPLS Features
-
Configuring QoS Features
-
Troubleshooting the Cisco 7600 Series Ethernet Service + Line Card
-
Upgrading Field-Programmable Devices
-
Configuring IPoDWDM
-
Configuring Automatic Laser Shutdown
-
Network Clocking on Cisco 7600 Series Ethernet Services Plus Line Cards
-
Configuring Layer 3 and Layer 4 Features
-
Table Of Contents
Configuring Layer 1 and Layer 2 Features
Cisco 7600 Synchronous Ethernet Support
Synchronization Status Message
Ethernet Synchronization Messaging Channel
Restrictions and Usage Guidelines
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
Configuring the Clock Recovery from SyncE
Configuring the Clock Recovery from BITS Port
Configuring the System to External
Configuring the Line to External
Managing Synchronization on ES+ Card
Troubleshooting the Synchronous Ethernet configuration
Flexible QinQ Mapping and Service Awareness
Restrictions and Usage Guidelines
Selective QinQ with Layer 2 Switching
Double Tag Translation (2-to-2 Tag Translation)
Double Tag Termination (2 to 1 Tag Translation)
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
Restrictions and Usage Guidelines
Single Tag Termination Example
Single Tag Translation Example
Double Tag Termination Configuration Example
Double-Tag Translation Configuration Example
Selective QinQ Configuration Example
Untagged Traffic Configuration Example
MPBE with Split Horizon Configuration Example
Backup Interface for Flexible UNI
Restriction and Usage Guidelines
Restrictions and Usage Guidelines
Restrictions and Usage Guidelines
LACP Support for EVC Port Channel
Restrictions and Usage Guidelines
Configuring Layer 2 Access Control Lists (ACLs) on an EVC
Restrictions and Usage Guidelines
Creating a Layer 2 Access Control List
Applying a Layer 2 Access Control List
DHCP Snooping with Option-82 on EVC
Restrictions and Usage Guidelines
DHCP Snooping State Synchronization
Restrictions for DHCP Snooping over p-mLACP
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization
IGMP Snooping State Synchronization
Restrictions for p-mLACP IGMP Snooping State Synchronization
IP Source Guard for Service Instance
Restrictions and Usage Guidelines
Configuring IP Source Guard for a Service Instance
Configuring MST on EVC Bridge Domain
Overview of MST on EVC Bridge Domain
Restrictions and Usage Guidelines
Configuring Link State Tracking (LST)
Restrictions and Usage Guidelines
Configuring Link State Tracking
Troubleshooting the Link State Tracking
MAC Address Security for EVC Bridge Domain
Restrictions and Usage Guidelines
Enabling MAC Address Security for EVC Bridge Domain
Disabling MAC Address Security for EVC Bridge Domain on an EFP
Configuring MAC Address Whitelist on an EFP
Configuring Sticky MAC Addresses on an EFP
Configuring Secure MAC Address Aging on an EFP
Configuring MAC Address Limiting on EFP
Configuring MAC Address Limiting on a Bridge Domain
Configuring Violation Response on an EFP
Restrictions and Usage Guidelines
Configuring PVST and CFM Co-Existence
Configuring GVRP and CFM Co-Existence
Configuring PVST and GVRP Co-Existence
Custom Ethertype for EVC Interfaces
Supported Rewrite Rules for a Custom Ethertype Configuration
Supported Rewrites for Non-Range on C-Tag with a NNI
Supported Rewrites for Range on C-Tag with a NNI
Restrictions and Usage Guidelines
Single Tag Encap with Connect with Custom Ethertype Configured
Single Tag Encap with Bridge Domain
Single Tag Encap with XConnect
Custom Ethertype Support with Sub Interfaces
GE LAG with LACP on UNI with Advanced Load Balancing
Restrictions and Usage Guidelines
Configuring GE Link Aggregation with Advanced Load Balancing
Troubleshooting Load Balancing Features
Storm Control on Switchports and Ports Having EVCs
Restrictions and Usage Guidelines
Configuring Storm Control on Ports with EVC Configurations
Configuring Storm Control on Switchports
Configuring Storm Control on Port Channels
Restrictions for Storm Control over EVC
Configuring Storm Control over EVC
Restrictions and Usage Guidelines
Configuring Asymmetric Carrier Delay
Manual Load Balancing for EVC over Port-Channel/LACP
Restrictions and Usage Guidelines
Configuring Manual Load Balancing for EVC over Port-Channel/LACP
EVC Port Channel Per Flow Load Balancing
Configuring EVC Port Channel Per Flow Load Balancing
Configuring Layer 3 and Layer 4 ACLs
Pseudo MLACP Support on Cisco 7600
Restrictions for PMLACP on Cisco 7600
Configuring PMLACP on Cisco 7600
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Restrictions and Usage Guidelines
Configuring Reverse L2GP for 7600
Configuring the RL2GP Instance
Attaching the RL2GP Instance to a Port
Configuring the VPLS Pseudo Wire
Configuring Static MAC Binding to EVCs and Psuedowires
Restrictions and Usage Guidelines
Configuring Static MAC over EFP for the Cisco 7600 Router
Configuring MPLS on Core-Facing Interface
Configuring Static MAC over Pseudowire for the Cisco 7600 Router
Configuring Resilient Ethernet Protocol
Configuring REP over Ethernet Virtual Circuit
Restrictions and Usage Guidelines
Configuring REP over EVC for the Cisco 7600 Router
Configuring REP over EVC using cross-connect on the Cisco 7600 Router
Configuring REP over EVC using connect for the Cisco 7600 Router
Configuring REP over EVC using bridge-domain for the Cisco 7600 Router
Configuring Resilient Ethernet Protocol Configurable Timers
Restrictions and Usage Guidelines
Configuring REP Configurable Timers for the Cisco 7600 Router
Configuring the REP Link Status Layer Retries
Configuring the REP Link Status Layer Age Out Timer
IEEE 802.1ag-2007 Compliant CFM
Restrictions and Usage Guidelines
CFM over EFP Interface with xconnect
Restrictions and Usage Guidelines
Configuring CFM over EFP with xconnect for the Cisco 7600 Router
Configuring CFM over EFP Interface with Cross Connect—Basic Configuration
Configuring CFM over EFP Interface with Cross Connect—Single Tag VLAN Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Double Tag VLAN Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Selective QinQ Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Port-Based Cross Connect Tunnel
Configuring CFM over EFP Interface with Cross Connect—Port Channel-Based Cross Connect Tunnel
Configuring CFM over EFP Interface with xconnect—Port Channel-Based xconnect Tunnel
802.1ah: Configuring the MAC Tunneling Protocol
Restrictions and Usage Guidelines
Configuring the MTP for the Cisco 7600 Router
802.3ah: Dying Gasp and Remote Loopback Initiation
Restrictions for Dying Gasp and Remote Loopback Initiation
Configuring the Remote Loopback
Prerequisites for IEEE 802.1ad
Information About IEEE 802.1ad
MAC Addresses for Layer 2 Protocols
Interoperability of QinQ and Dot1ad
Configuring a Layer 2 Protocol Forward
Configuring a Switchport for Translating QinQ to 802.1ad
Configuring a Switchport (L2PT)
Configuring a Customer-Facing UNI-C Port with EVC
Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC
Configuring a Customer-Facing UNI-S Port with EVC
Configuring a Layer 3 Termination
Displaying a Dot1ad Configuration
Frame Delay and Frame Delay Variation
Frame Loss Ratio and Availability
Restrictions and Usage Guidelines
Configuring One Way Delay Measurement
Configuring Two-Way Delay Measurement
Configuring Single Ended Frame Loss Measurement
Verifying the Frame Delay and Frame Loss Measurement Configurations
PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)
PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer Ethertype
Restrictions and Usage Guidelines
Per Subscriber Session Call Admission Control (CAC)
Configuring Per Subscriber Session CAC
Verifying and Monitoring Per Subscriber Session CAC
Configuring Private Host on Pseudoport on CWAN Cards
Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs
Restrictions and Usage Guidelines
Configuring UDLD Aggressive Mode
Enabling UDLD on Ports With EVC Configured
Disabling Individual UDLD on Ports With EVC Configured
Resetting Disabled UDLD on Ports With EVC Configured
Dynamic Ethernet Service Activation
Restrictions and Usage Guidelines
Configuring Dynamic Ethernet Service Activation Support on C7600
Configuring DESA for a Dynamic Ethernet Session
Configuration Steps for a Static Ethernet Session
Control Plane Protection on Non Access Subinterfaces
Restrictions and Usage Guidelines
Configuring COPP on a Non Access Subinterface
Verifying COPP on a Non Access Sub Interface
BFD Scale Improvement on ES+ Line Card for 7600
BFD Sessions Supported on RSP720 Versions
Restrictions for BFD Scale Improvement
Configuring BFD Hardware Offload for 7600
Troubleshooting BFD Hardware Offload
Configuring Layer 1 and Layer 2 Features
This chapter provides information about configuring layer 1 and layer 2 features on the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series router. It includes the following topics:
•
Cisco 7600 Synchronous Ethernet Support
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
For more information about the commands used in this chapter, see the Cisco IOS Release 12.2 SR Command References at http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html.
Note
Note
1. ES20 and ES+ cross-bundling is not supported.
2. Any LAN card, and ES20/ES+ cross-bundling is not supported.
Cisco 7600 Synchronous Ethernet Support
Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned to a reliable clock traceable to Primary Reference Clock (PRC).
SyncE is implemented on an ES+ card for Cisco 7600 series routers. An ES+ card has a dedicated external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. Table 4-1 lists the framing modes for BITS port on an ES+ card:
Table 4-1 Framing Modes for BITS Port on an ES+ card
Table 4-2 lists the External Timing Input and Output Pinouts:
Table 4-2 External Timing Input and Output Pinout
1
Rx Ring
2
Receive (Rx) Tip
3
Not used
4
Tx Ring
5
Transmit (Tx) Tip
6
Not used
7
Not used
8
Not used
Note
You can implement SyncE on an ES+ card with four different configurations:
•
•
•
•
The SyncE enabled ES+ line card provides the squelching functionality, where an Alarm indication Signal (AIS) is sent to the Tx interfaces if the clock source goes down. The squelching functionality is implemented in two cases:
•
•
Squelching is performed only towards an external device such as SSU or PRC.
You can have a maximum of six clock sources for a 7600 Router and a maximum of 4 clock sources on an ES+ card. The clock source with highest priority is made the default clock source. You can manage the clock sources on an ES+ card by changing the priority of the clock sources. You can also manage the synchronization on ES+ cards using the following management options:
•
•
•
•
SSM and ESMC
Network Clocking uses these mechanisms to exchange the quality level of the clock between the network elements:
•
•
Synchronization Status Message
Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality:
•
•
•
Ethernet Synchronization Messaging Channel
In order to maintain a logical communication channel in synchronous network connections, ethernet relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality level of the Ethernet Equipment Clock (EEC) in a physical layer.
The ESMC packets are received only for those ports configured as clock sources and transmitted on all the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the selected clock source and sent to all the enabled SyncE ports.
Clock Selection Algorithm
Clock selection algorithm selects the best available synchronization source from the nominated sources. The clock selection algorithm has a non-revertive behavior among clock sources with same QL value and always selects the signal with the best QL value. For clock option 1, the default is revertive and for clock option 2, the default is non-revertive.
The clock selection process works in the QL enabled and QL disabled modes. When multiple selection processes are present in a network element, all processes work in the same mode.
QL-enabled mode
In QL-enabled mode, the following parameters contribute to the selection process:
•
•
•
•
If no external commands are active, the algorithm selects the reference (for clock selection) with the highest quality level that does not experience a signal fail condition. If multiple inputs have the same highest quality level, the input with the highest priority is selected. For multiple inputs having the same highest priority and quality level, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.
QL-disabled mode
In QL-disabled mode, the following parameters contribute to the selection process:
•
•
•
If no external commands are active, the algorithm selects the reference (for clock selection) with the highest priority that does not experience a signal fail condition. For multiple inputs having the same highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.
Hybrid mode
The SyncE feature requires that each network element along the synchronization path needs to support SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring the Timing over Packet (ToP) interface on the PTP slave as the input source.
Note
The ES+ is a family of fixed-port SyncE line cards supporting 20 and 40 gbps bandwidth for the 7600 series routers. The following ES+ cards support SyncE:
•
•
•
•
•
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when configuring the SyncE on an ES40 line card:
•
•
•
•
•
•
•
•
•
•
•
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
This section describes how to configure SyncE for Cisco 7600 Router. SyncE is implemented on Cisco 7600 router using four different configurations:
•
•
•
•
Configuring the Clock Recovery from SyncE
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from SyncE method.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router>enableRouter# configure terminalRouter(config)# network-clock synchronization automaticRouter(config)# network-clock synchronization ssm option 2 GEN1Router(config)# int gig 5/1Router(config-if)# clock source lineRouter(config-if)# synchronous modeRouter(config)# exitRouter(config)# network-clock input-source 1 interface TenGigabitEthernet7/1Router(config)# exitConfiguring the Clock Recovery from BITS Port
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from BITS port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Examples
This example shows how to configure clock recovery from BITS port for Cisco 7600 Routers:
Router>enableRouter# configure terminalRouter(config)# network-clock synchronization automaticRouter(config)# network-clock synchronization ssm option 2 GEN1Router(config)# network-clock input-source 1 External 7/0/0 t1 sfRouter(config)# exitConfiguring the System to External
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using System to External method.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Examples
This example shows how to configure system to external clocking for Cisco 7600 Routers:
Router>enableRouter# configure terminalRouter(config)# network-clock synchronization automaticRouter(config)# network-clock synchronization ssm option 2 GEN1Router(config)# network-clock input-source 1 External 7/0/0 t1 sfRouter(config)# exitThis example shows how to configure clock clean-up using an SSU:
Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External 1/0/0 t1 sfRouter(config)# network-clock input-source 1 External 7/0/0 t1 sfConfiguring the Line to External
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using Line to External method.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router>enableRouter# configure terminalRouter(config)# network-clock synchronization automaticRouter(config)# network-clock synchronization ssm option 2 GEN1Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1Router(config)# int gig 5/1Router(config-if)# clock source lineRouter(config-if)# synchronous modeRouter(config)# exitRouter(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External 1/0/0Router(config)# exitManaging Synchronization on ES+ Card
Manage the synchronization on ES+ cards with these management commands:
•
Router(config)# network-clock synchronization mode QL-enabled•
Router(config)# esmc process•
Router(config-if)# esmc mode tx•
–
–
–
Use the network-clock quality-level command in global configuration mode to configure the QL value for SSM on BITS port. The following example shows how to configure network-clock quality-level in global configuration mode:
Router(config)# network-clock quality-level rx QL-PRC interface ToP3/0/20The following example shows how to configure network-clock source quality-level in interface configuration mode:
Router(config-if)# network-clock source quality-level QL-PRC•
Router(config)# network-clock wait-to-restore 10 globalThe following example shows how to configure the wait-to-restore timer in interface configuration mode:
Router(config)# int ten 7/1Router(config-if)# network-clock wait-to-restore 10•
Router(config)# network-clock hold-off 50 global•
Router(config)# network-clock switch force interface tenGigabitEthernet 7/1 t1•
Router(config)# network-clock switch manual interface tenGigabitEthernet 7/1 t1•
Router(config)# network-clock clear switch t0•
Router(config)# network-clock set lockout interface tenGigabitEthernet 7/1The following example shows how to clear lock-out on a clock source:
Router(config)# network-clock clear lockout interface tenGigabitEthernet 7/1Verification
Use the following commands to verify the SyncE configuration:
•
Router# show network-clocks synchronizationSymbols: En - Enable, Dis - Disable, Adis - Admin DisableNA - Not Applicable* - Synchronization source selected# - Synchronization source force selected& - Synchronization source manually switchedAutomatic selection process : EnableEquipment Clock : 2048 (EEC-Option1)Clock Mode : QL-EnableESMC : EnabledSSM Option : 1T0 : TenGigabitEthernet12/1Hold-off (global) : 300 msWait-to-restore (global) : 300 secTsm Delay : 180 msRevertive : NoNominated InterfacesInterface SigType Mode/QL Prio QL_IN ESMC Tx ESMC RxInternal NA NA/Dis 251 QL-SEC NA NA*Te12/1 NA Sync/En 1 QL-PRC - -AT6/0/0 NA NA/En 1 QL-SSU-A NA NA•
Router# show network-clocks synchronization detailSymbols: En - Enable, Dis - Disable, Adis - Admin DisableNA - Not Applicable* - Synchronization source selected# - Synchronization source force selected& - Synchronization source manually switchedAutomatic selection process : EnableEquipment Clock : 2048 (EEC-Option1)Clock Mode : QL-EnableESMC : EnabledSSM Option : 1T0 : TenGigabitEthernet12/1Hold-off (global) : 300 msWait-to-restore (global) : 300 secTsm Delay : 180 msRevertive : NoForce Switch: FALSEManual Switch: FALSENumber of synchronization sources: 2sm(netsync NETCLK_QL_ENABLE), running yes, state 1ALast transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (sf_change)-> 1A (ql_change)-> 1ANominated InterfacesInterface SigType Mode/QL Prio QL_IN ESMC Tx ESMC RxInternal NA NA/Dis 251 QL-SEC NA NA*Te12/1 NA Sync/En 1 QL-PRC - -AT6/0/0 NA NA/En 1 QL-SSU-A NA NAInterface:---------------------------------------------Local Interface: InternalSignal Type: NAMode: NA(Ql-enabled)SSM Tx: DisableSSM Rx: DisablePriority: 251QL Receive: QL-SECQL Receive Configured: -QL Receive Overrided: -QL Transmit: -QL Transmit Configured: -Hold-off: 0Wait-to-restore: 0Lock Out: FALSESignal Fail: FALSEAlarms: FALSESlot Disabled: FALSELocal Interface: Te12/1Signal Type: NAMode: Synchronous(Ql-enabled)ESMC Tx: EnableESMC Rx: EnablePriority: 1QL Receive: QL-PRCQL Receive Configured: -QL Receive Overrided: -QL Transmit: QL-DNUQL Transmit Configured: -Hold-off: 300Wait-to-restore: 300Lock Out: FALSESignal Fail: FALSEAlarms: FALSESlot Disabled: FALSELocal Interface: AT6/0/0Signal Type: NAMode: NA(Ql-enabled)SSM Tx: EnableSSM Rx: EnablePriority: 1QL Receive: QL-SSU-AQL Receive Configured: -QL Receive Overrided: -QL Transmit: -QL Transmit Configured: -Hold-off: 300Wait-to-restore: 300Lock Out: FALSESignal Fail: FALSEAlarms: FALSESlot Disabled: FALSE•
Router# show esmcInterface: TenGigabitEthernet12/1Administative configurations:Mode: SynchronousESMC TX: EnableESMC RX: EnableQL TX: -QL RX: -Operational status:Port status: UPQL Receive: QL-PRCQL Transmit: QL-DNUQL rx overrided: -ESMC Information rate: 1 packet/secondESMC Expiry: 5 secondInterface: TenGigabitEthernet12/2Administative configurations:Mode: SynchronousESMC TX: EnableESMC RX: EnableQL TX: -QL RX: -Operational status:Port status: UPQL Receive: QL-DNUQL Transmit: QL-DNUQL rx overrided: QL-DNUESMC Information rate: 1 packet/secondESMC Expiry: 5 second•
Router# show esmc detailInterface: TenGigabitEthernet12/1Administative configurations:Mode: SynchronousESMC TX: EnableESMC RX: EnableQL TX: -QL RX: -Operational status:Port status: UPQL Receive: QL-PRCQL Transmit: QL-DNUQL rx overrided: -ESMC Information rate: 1 packet/secondESMC Expiry: 5 secondESMC Tx Timer: RunningESMC Rx Timer: RunningESMC Tx interval count: 1ESMC INFO pkts in: 2195ESMC INFO pkts out: 6034ESMC EVENT pkts in: 1ESMC EVENT pkts out: 16Interface: TenGigabitEthernet12/2Administrative configurations:Mode: SynchronousESMC TX: EnableESMC RX: EnableQL TX: -QL RX: -Operational status:Port status: UPQL Receive: QL-DNUQL Transmit: QL-DNUQL rx overrided: QL-DNUESMC Information rate: 1 packet/secondESMC Expiry: 5 secondESMC Tx Timer: RunningESMC Rx Timer: RunningESMC Tx interval count: 1ESMC INFO pkts in: 0ESMC INFO pkts out: 2159ESMC EVENT pkts in: 0ESMC EVENT pkts out: 10Troubleshooting the Synchronous Ethernet configuration
The following debug commands are available for troubleshooting the Synchronous Ethernet configuration on the Cisco 7600 ES+ Line Card:
Troubleshooting Scenarios
Note
Troubleshooting
Table 4-3 provides the troubleshooting solutions for the synchronous ethernet feature.
Table 4-3 Troubleshooting Scenarios
Flexible QinQ Mapping and Service Awareness
Flexible QinQ Mapping and Service Awareness allows service providers to offer triple-play services, residential Internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.
The access node connects to the DSLAM through the Cisco 7600 Series ES+ line cards. This provides a flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to different services.
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards is supported only through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.
Figure 4-1 shows a typical metro architecture where the access router facing the DSLAM provides VLAN translation (selective QinQ) and grooming functionality and where the service routers (SR) provide QinQ termination into a Layer 2 or Layer 3 service.
Figure 4-1 Metro Architecture
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards provides the following functionality:
•
–
–
–
Note
•
–
•
•
–
–
–
•
For the Cisco 7600 Series ES+ line card, the subinterface gets a hidden VLAN (a VLAN that is not configured and is allocated internally) associated to the subinterface. The hidden VLAN number has no correlation with the encapsulation VLAN (the VLAN visible to the user or in the wire). Because the encapsulation is local to the port, you can have the same encapsulation VLAN in multiple ports.
•
•
•
–
–
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when configuring Flexible QinQ Mapping and Service Awareness on the Cisco 7600 Series ES+ line cards:
•
–
–
–
–
Example 1
service instance 1 eth
encap dot1q 100TCAMS used - 1
Example 2
service instance 1 eth
encap dot1q 200 second dot1q 300TCAMs used - 1
Example 3
service instance 1 eth
encap dot1q 201, 202TCAMs used - 2 (one for each encapsulation)
Example 4
service instance 1 eth
encap dot1q 20-40TCAMs used - 4
First entry to match vlans 20-23
Second entry to match vlans 24-31
Third entry to match vlans 32-39
Fourth entry to match vlan 40A range does not always mean multiple TCAMs as shown in this example where only one TCAM entry is used.
Example 5
service instance 1 ethernet
encap dot1q 8-15
service instance 2 ethernet
encap dot1q 2000 second-dot1q 96-127TCAMs used per EVC : 1
–
–
–
–
–
–
•
–
–
–
–
–
•
–
–
–
•
–
–
–
–
–
–
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Examples
Single Tag VLAN Connect
This example shows an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with a dot1q tag of 11. No MAC learning is involved.
Note
This example shows a typical configuration of a DSLAM facing port of the first PE router.
! DSLAM facing portRouter# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag pop 1 symmetric!L2 facing portRouter(config)# interface TenGigabitEthernet 1/2Router(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 11Router(config-if-srv)# rewrite ingress tag pop 1 symmetric! connect serviceRouter(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101Double Tag VLAN Connect
In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved.
This example shows a typical configuration of a MPLS core facting port of the first PE router..
! DSLAM facing portRouter# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 10 second-dot1q 20Router(config-if-srv)# rewrite ingress tag pop 2 symmetric!L2 facing portRouter(config)# interface TenGigabitEthernet 1/2Router(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 11 second-dot1q 21Router(config-if-srv)# rewrite ingress tag pop 2 symmetric! connect serviceRouter(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101Selective QinQ with Xconnect
This configuration uses EoMPLS under the single tag subinterface to forward packets. This example shows a typical configuration of a MPLS core facting port of the second PE router.
DSLAM facing port
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 10-20,30,50-60Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect!Router(config)# interface Loopback1Router(config-if)# ip address 1.1.1.1 255.255.255.255MPLS core facing port
Router(config)# interface TenGigabitEthernet 2/1Router(config-if)# ip address 192.168.1.1 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# mpls label protocol ldpMPLS core facing port
Router(config)# interface TenGigabitEthernet 2/1Router(config-if)# ip address 192.168.1.2 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# mpls label protocol ldp!Router(config)# interface Loopback1Router(config-if)# ip address 2.2.2.2 255.255.255.255CE facing EoMPLS configuration
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/2Router(config-if)# service instance 1000Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q anyRouter(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnectSelective QinQ with Layer 2 Switching
This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is the same as MPBE; only the rewrites for each service instance are different.
DSLAM facing port, single tag incoming
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 10-20Router(config-if-srv)# bridge-domain 11QinQ VLAN
Router(config)# interface TenGigabitEthernet 1/2Router(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk vlan allow 11Double Tag Translation (2-to-2 Tag Translation)
In this configuration, double-tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2 switched to the bridge domain VLAN.
QinQ facing port
Router(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 100 second-dot1q 10Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20 symmetricRouter(config-if-srv)# bridge-domain 200QinQ VLAN
Router(config)# interface TenGigabitEthernet 1/2Router(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 200 second-dot1q 20Router(config-if-srv)# bridge-domain 200Double Tag Termination (2 to 1 Tag Translation)
The configuration in this example uses the Layer 2 switching.
Double tag traffic
Router(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 200 second-dot1q 20Router(config-if-srv)# rewrite ingress tag pop 2 symmetricRouter(config-if-srv)# bridge-domain 10!Router(config)# interface TenGigabitEthernet 1/2Router(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 10!Router(config)# interface TenGigabitEthernet 1/3Router(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 30Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 10Verification
Use these commands to verify operation.
Troubleshooting
Use these debug commands to troubleshoot Flexible QinQ feature.
Debug commands
Table 4-4 provides the troubleshooting solutions for the Flexible mapping feature.
Table 4-4
Troubleshooting Flexible mapping feature
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
MultiPoint Bridging over Ethernet (MPBE) on Cisco 7600 Series ES+ line cards provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.
For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain traffic packets from one service instance to another. Filtering occurs before and after the rewrite to ensure that the packet goes only to the intended service instance.
You can use MPBE to:
•
•
•
•
•
•
•
MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:
•
•
•
•
•
•
•
Restrictions and Usage Guidelines
When configuring the MPBE over Ethernet on Cisco 7600 Series ES+ line cards, follow these restrictions and usage guidelines:
•
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
Single Tag Termination Example
In this example, the single tag termination identifies customers based on a single VLAN tag and maps the single-VLAN tag to the bridge-domain.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 12Single Tag Tunneling Example
In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the packet.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# bridge-domain 200Single Tag Translation Example
In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to the packet.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 3/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetricRouter(config-if-srv)# bridge-domain 200Double Tag Tunneling Example
In this double tag tunneling example, the incoming VLAN tags are not removed but continue with the packet.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10 second-dot1q 20Router(config-if-srv)# bridge-domain 200Double Tag Termination Configuration Example
In this double-tag termination example, the ingress receives double tags that identify the bridge VLAN; the double tags are stripped (terminated) from the packet.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 2/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 10 inner 20Router(config-if-srv)# rewrite ingress tag pop 2 symmetricRouter(config-if-srv)# bridge-domain 200Router(config-if)# service instance 2Router(config-if-srv)# encapsulation dot1q 40 inner 30Router(config-if-srv)# rewrite ingress tag pop 2 symmetricRouter(config-if-srv)# bridge-domain 200Double-Tag Translation Configuration Example
In this example, double tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer-2-switched to the bridge-domain VLAN.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 10 second-dot1q 20Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30 symmetricRouter(config-if-srv)# bridge-domain 200Router(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 40 second-dot1q 30Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20 symmetricRouter(config-if-srv)# bridge-domain 200Selective QinQ Configuration Example
In this example, a range of VLANs is configured and plugged into a single MPB VC.
Router# enableRouter# configure terminalRouter(config)# interface TenGigabitEthernet 1/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 10-20Router(config-if-srv)# bridge-domain 200Router(config)# interface TenGigabitEthernet 2/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 10-20Router(config-if-srv)# bridge-domain 200Untagged Traffic Configuration Example
In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# no ip addressRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation untaggedRouter(config-if-srv)# bridge-domain 11Router(config)# interface TenGigabitEthernet 1/1Router(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 11MPBE with Split Horizon Configuration Example
In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from which the traffic originated.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# no ip addressRouter(config-if)# service instance 1000 ethernetRouter(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20Router(config-if-srv)# bridge-domain 100 split-horizonRouter(config-if)# service instance 1001 ethernetRouter(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30Router(config-if-srv)# bridge-domain 101 split-horizonRouter(config-if)# service instance 1010 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10 second-dot1q 100 symmetricRouter(config-if-srv)# bridge-domain 10 split-horizonRouter(config-if)# mls qos trust dscpIn this example, service instances are configured on Ethernet interfaces and terminated on the bridge domain.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 1000Router(config-if-srv)# bridge-domain 10Router(config)# interface GigabitEthernet 1/1Router(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 10Verification
Use these commands to verify operation.
Backup Interface for Flexible UNI
The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices.
You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs are designated as primary and backup and have identical configurations. If the primary interface fails, the service is automatically transferred to the backup interface.
Figure 4-2 shows an example of how Flexible UNIs can be used when the Cisco 7600 series router is configured as a dual-homed N-PE (NPE1) and as a dual-homed U-PE (UPE2).
Figure 4-2 Backup Interface for Dual-Homed Devices
Note
The primary interface is the interface for which you configure a backup. During operation, the primary interface is active and the backup (secondary) interface operates in standby mode. If the primary interface goes down (due to loss of signal), the router begins using the backup interface.
While the primary interface is active (up) the backup interface is in standby mode. If the primary interface goes down, the backup interface transitions to the up state and the router begins using it in place of the primary. When the primary interface comes back up, the backup interface transitions back to standby mode. While in standby mode, the backup interface is effectively down and the router does not monitor its state or gather statistics for it.
This feature provides the following benefits:
•
–
–
–
–
•
•
The Backup Interface for Flexible UNI feature makes use of these Ethernet components:
•
•
Restriction and Usage Guidelines
Observe these restrictions and usage guidelines as you configure a backup interface for Flexible UNI on the router:
•
–
–
–
•
•
Note
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
Note
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Step 1
enable
Example:Router# enableEnables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
Router(config)# interface type slot/port
Example:Router(config)# interface gigabitethernet 3/1
Selects the primary interface. This is the interface you are creating a backup interface for. For example, interface gigabitEthernet 3/1 selects the interface for port1 of the Gigabit Ethernet card installed in slot 3.
•
•
Step 4
Router(config-if)# backup interface type interface
Example:Router(config)# backup interface gigabitethernet 4/1
Selects the interface to serve as a backup interface.
Note
Step 5
Router(config-if)# backup delay enable-delay disable-delay
Example:Router(config-if)# backup delay 0 0
(Optional) Specifies a time delay (in seconds) for enabling or disabling the backup interface.
•
•
Note
Step 6
Router(config-if)# backup load enable-percent disable-percent
Example:Router(config-if)# backup load 50 10
(Optional) Specifies the thresholds of traffic load on the primary interface (as a percentage of the total capacity) at which to enable and disable the backup interface.
•
•
Applying the settings from the example to a primary interface with 10-Mbyte capacity, the router enables the backup interface when traffic load on the primary exceeds 5 mb (50%), and disables the backup when combined traffic on both interfaces falls below 1 Mbyte (10%).
Step 7
exit
Example:Router(config-if)# exit
Exits interface configuration mode and returns to global configuration mode.
Step 8
Router(config)# connect primary interface srv-inst interface srv-inst
Example:Router(config-if)# connect primary gi3/2 gi3/3
(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces.
The connect primary command creates a connection between primary interfaces.
Step 9
Router(config)# connect backup interface srv-inst interface srv-inst
Example:Router(config-if)# connect backup gi4/2 gi4/2
(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces.
The connect backup command creates a connection between backup interfaces.
Step 10
Router(config)# connect primary interface srv-inst1 interface srv-inst2
Example:Router(config-if)# connect primary gi3/2 gi3/3
(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect primary command to create a connection on a primary interface.
Step 11
Router(config)# connect backup interface srv-inst1 interface srv-inst2
Example:Router(config-if)# connect backup gi4/2 gi4/3
(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect backup command to create a connection on a backup interface.
Step 12
exit
Example:Router(config-if)# exit
Exits interface configuration mode.
Note
The following example shows a sample configuration in which:
•
•
•
Router# enableRouter# configure terminalRouter(config)# interface gi3/1Router(config-if)# backup interface gi4/1Router(config-if)# service instance 4 ethernetRouter(config-if-srv)# encapsulation dot1q 4Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 4Router(config-if-srv)# exitRouter(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# xconnect 10.0.0.0 2 encap mplsRouter(config)# interface gi4/1Router(config-if)# service instance 4 ethernetRouter(config-if-srv)# encapsulation dot1q 4Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 4Router(config-if-srv)# exitRouter(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# xconnect 10.0.0.0 5 encap mplsVerification
This section lists the commands to display information about the primary and backup interfaces configured on the router. In the examples that follow, the primary interface is gi3/1 and the secondary (backup) interface is gi3/11.
•
Router# show backupPrimary Interface Secondary Interface Status----------------- ------------------- ------GigabitEthernet 3/1 GigabitEthernet 3/11 normal operation•
Router# show interface gi3/1GigabitEthernet3/1 is up, line protocol is up (connected)Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)Backup interface GigabitEthernet 3/11, failure delay 0 sec, secondary disable delay 0 sec, kickin load not set, kickout load not set[...]Router# show interface gi3/11GigabitEthernet3/11 is standby mode, line protocol is down (disabled)If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as shown in the command output that follows. Notice how the command output changes if you reissue the show backup and show interfaces commands at this time: the show backup status changes, the line protocol for gi3/1 is now down (notconnect), and the line protocol for gi3/11 is now up (connected).
Router# !!! Link gi3/1 (active) goes down...22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/11, changed state to up22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1, changed state to down22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/11, changed state to upRouter# show backupPrimary Interface Secondary Interface Status----------------- ------------------- ------GigabitEthernet3/1 GigabitEthernet3/11 backup modeRouter# show interface gi3/1GigabitEthernet3/1 is down, line protocol is down (notconnect)Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec,Router# show interface gi3/11GigabitEthernet3/11 is up, line protocol is up (connected)Example
Figure 4-3 shows a sample configuration of a backup interface for Flexible UNI. The configuration includes several EVCs (service instances), configured as follows:
•
•
Figure 4-3 Backup Interface for Flexible UNI Configuration
This is the configuration at NPE10:
interface ge2/4.4description npe10 to npe11 gi3/11 - backup - bridgedencapsulation dot1q 4ip address 100.4.1.33 255.255.255.0interface ge2/4.2description npe10 to npe11 gi3/11 - backup - xconnectencapsulation dot1q 2ip address 100.2.1.33 255.255.255.0This is the configuration at NPE14:
interface ge1/3.4description npe14 to npe11 gi3/1 - primary - bridgedencapsulation dot1q 4ip address 100.4.1.22 255.255.255.0interface ge1/3.2description npe14 to npe11 gi3/1 - primary - xconnectencapsulation dot1q 2ip address 100.2.1.22 255.255.255.0This is the configuration at 72a, at the user-facing provider edge (U-PE):
interface fa1/0.4description 72a to npe12 - bridgedencapsulation dot1q 4ip address 100.4.1.12 255.255.255.0interface fa1/0.2description 72a to npe12 - xconnectencapsulation dot1q 2ip address 100.2.1.12 255.255.255.0This is the configuration at NPE11:
interface gigabitEthernet 3/1backup interface gigabitEthernet 3/11service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricxconnect 12.0.0.1 2 encapsulation mplsservice instance 4 ethernetencapsulation dot1q 4rewrite ingress tag pop 1 symmetricbridge-domain 4interface gigabitEthernet 3/11service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricxconnect 12.0.0.1 21 encapsulation mplsservice instance 4 ethernetencapsulation dot1q 4rewrite ingress tag pop 1 symmetricbridge-domain 4This is the configuration at NPE12:
interface GE-WAN 4/3description npe11 to npe12ip address 10.3.3.1 255.255.255.0mpls ipl2 vfi vlan4 manualvpn id 4neighbor 12.0.0.1 4 encapsulation mplsinterface Vlan 4xconnect vfi vlan4l2 vfi vlan4 manualvpn id 4neighbor 11.0.0.1 4 encap mplsinterface Vlan4description npe12 to npe11 xconnectxconnect vfi vlan4l2 vfi vlan2 manualvpn id 2neighbor 11.0.0.1 2 encap mplsneighbor 11.0.0.1 21 encap mplsinterface Vlan2xconnect vfi vlan2interface GE-WAN 9/4description npe12 to npe11ip address 10.3.3.2 255.255.255.0mpls ipinterface fastEthernet 8/2description npe12 to 72aswitchportswitchport trunk encap dot1qswitchport mode trunkswitchport trunk allowed vlan 2-4The primary interface is enabled:
NPE 11# show backupPrimary interface Secondary interface Status--------------------------------------------GigabitEthernet3/1GigabitEthernet3/11 normal operationNPE-11#sh int gi3/1GigabitEthernet3/1 is up, line protocol is up (connected)Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec,kicking load not set, kickout load not set,[...]NPE-11# show interface gi3/11GigabitEthernet 3/11 is standby mode, line protocol is down (disabled)The primary link is disabled:
NPE 11#!!!Link gi3/1 (active) goes down22:11:11: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to down22:11:12: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to up22:11:12: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/1, changed state to down22:11:13: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/11, changed state to upNP-11# show backupPrimary interface Secondary interface Status--------------------------------------------GigabitEthernet3/1GigabitEthernet3/11 backup modeNP-11#sh int gi3/1GigabitEthernet3/1 is down, line protocol is down (notconnect)Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 secNPE-11#sh int gi3/11GigabitEthernet 3/11 is up, line protocol is up (connected)Troubleshooting
Table 4-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature.
Table 4-5 Troubleshooting Scenarios for backup interface of the Flexible UNI feature
EVC On Port-Channel
An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links.The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see Configuring EtherChannels at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types.
Load balancing is accomplished on a Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links. In a default load balancing, you have no control over how the EFPs are grouped together, and sometimes the EFP grouping may not be ideal. To avoid this, use manual load balancing to control the EFP grouping.
Restrictions and Usage Guidelines
When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
•
•
•
Note
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example shows a single port-channel interface is created with three possible member links from slots 1 and 2:
Router# enableRouter# configure terminalRouter(config)# interface Port-channel5Router(config)# interface GigabitEthernet 2/1Router(config-if)# channel-group 5 mode onThis example shows scalable Eompls and EVC connect sample configuration.
Router#enableRouter#configure terminalRouter(config)#interface GigabitEthernet 3/0/0Router(config-if)#service instance 10 ethernetRouter(config-srv)#encapsulation dot1q 20Router(config-if-srv)#rewrite ingress tag pop 1 symRouter(config-if-srv)#exitRouter(config-if)#exitRouter(config)#interface GigabitEthernet 3/0/1Router(config-if)#service instance 12 ethernetRouter(config-srv)#encapsulation dot1q 30Router(config-if-srv)#rewrite ingress tag pop 1 symRouter(config-if-srv)#exitRouter(config-if)#exitRouter(config)#connect TEST GigabitEthernet 3/0/0 10 GigabitEthernet 3/0/1 12Router#sh connection allID Name Segment 1 Segment 2 State================================================================================57 TEST Gi3/0/0:10 Gi3/0/1:12 UPThis is a typical QoS configuration.
Router# enableRouter# configure terminalRouter(config)# interface port-channel10Router(config-if)# no ip addressRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 11Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if)# service-policy input xRouter(config-if)# service-policy output yRouter(config-if-srv)# bridge-domain 1500se the following commands to verify the configuration.
Troubleshooting
Table 4-6 provides the troubleshooting solutions for the EVC on a Port-Channel.
Table 4-6 Troubleshooting Scenarios for EVC on a Port-Channel
Configuring SPAN on EVC
Currently, traffic mirroring, lawful intercept, or Switched Port Analyzer (SPAN) on a per service instance is unavailable.
The existing command line interface supports configuring interface and VLAN as the local SPAN source. The same command line interface is enhanced to accept service instance IDs along with the interface. Since an EVC is support only for the local session SPAN, service instance options for the SPAN source are added in the local SPAN configuration submode.
You configure SPAN to intercept traffic in three ways:
•
•
•
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring SPAN on EVC, follow these restrictions and usage guidelines:
•
•
•
•
•
•
•
•
•
•
•
•
Configuring SPAN on EVC
Complete the following steps to configure SPAN on EVC.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Sample Configuration
This is an example for configuring SPAN on EVC.
Router# enableRouter# configure terminalRouter(config)# interface port-channel 11Router(config-if)# no ip addressRouter(config-if)# service instance 101 ethernetRouter(config-if-srv)# encapsulation dot1q 13Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetricRouter(config-if-srv)# exitRouter(config)# monitor session 1 type localRouter(config-mon-local)# source service instance 2 - 100 Port-channel 1 bothRouter(config-mon-local)# destination interface Port-channel 3Router(config-mon-local)# no shutRouter(config-mon-local)# endVerifying SPAN on EVC
This section provides the commands to verify the SPAN configuration.
Router# show monitor session 1Session 1---------Type : Local SessionStatus : Admin EnabledSource EFPs :Both : Po1: 2-100Destination Ports : Po3Router# show run | section monitormonitor session 1 type localsource service instance 2 - 100 Port-channel1destination interface Po3Troubleshooting
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
LACP Support for EVC Port Channel
An Ethernet link bundle or port-channel is an aggregation of up to eight physical Ethernet links to form a single logical link for L2/L3 forwarding. Bundled Ethernet ports are used to increase the capacity of the logical link and provide high availability and redundancy. The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see "Configuring EtherChannels" at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types. IEEE 802.3ad/Link Aggregation Control Protocol (LACP) provides an association of port-channels. The LACP support for EVC Port Channel feature supports service instances over bundled Ethernet links.
Ethernet flow points (EFPs) are configured under a port-channel. The traffic, carried by the EFPs, is load-balanced across member links. EFPs under a port-channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for an EFP uses only one of the member links. Load balancing is achieved by grouping EFPs and assigning them to a member link.
The scalability for a link-bundling EVC is 16000 per chassis. Port Channel EVC scalability for ES+ line cards is dependent on the same factors as EVCs configured under physical interfaces, with the number of member links and their distribution across the NPU as an additional parameter. EVC port-channel QoS leverages EVC QoS infrastructure. For more information on the scalable values, see Restrictions and Usage Guidelines.
Restrictions and Usage Guidelines
When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Note
DETAILED STEPS
Examples
In this example, a single port-channel interface is created with three possible member links from slots 1 and 2:
Router# enableRouter# configure terminalRouter(config)# interface Port-channel5Router(config-if)# no ip addressRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 350Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 350!Router(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 400Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 350Router(config-if)# service instance 3 ethernetRouter(config-if-srv)# encapsulation dot1q 500Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 370!Router# enableRouter# configure terminalRouter(config)# interface Port-channel5.1Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300Router(config-if)# ip address 60.0.0.1 255.0.0.0!Router(config)# interface GigabitEthernet 1/1Router(config-if)# channel-protocol lacpRouter(config-if)# channel-group 5 mode activeRouter(config)# interface GigabitEthernet 1/3Router(config-if)# channel-protocol lacpRouter(config-if)# channel-group 5 mode activeRouter(config)# interface GigabitEthernet 2/1Router(config-if)# channel-protocol lacpRouter(config-if)# channel-group 5 mode activeThis is a typical QoS configuration.
Router# enableRouter# configure terminalRouter(config)# interface port-channel10Router(config-if)# no ip addressRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 11Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if)# service-policy input xRouter(config-if)# service-policy output yRouter(config-if-srv)# bridge-domain 1500This is configuration for LACP over a configured EVC port-channel, under an interface:
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 1/1Router(config-if)# channel-protocol lacpRouter(config-if)# channel-group 5 mode ?Router(config-if)# channel-group 5 mode activeRouter(config-if)# channel-group 5 mode passiveThis is a port-channel configuration:
Router# enableRouter# configure terminalRouter(config-if)# interface Port-channel102Router(config-if)# mtu 9216Router(config-if)# no ip addressRouter(config-if)# lacp fast-switchoverRouter(config-if)# lacp max-bundle 1Router(config-if)# service instance 50 ethernetRouter(config-if)# encapsulation dot1q 50Router(config-if)# rewrite ingress tag pop 1 symmetricRouter(config-if)# service-policy output lacp-parentRouter(config-if)# bridge-domain 50This is a member links configuration:
Router# enableRouter# configure terminalRouter(config-if)# interface GigabitEthernet 3/12Router(config-if)# mtu 9216Router(config-if)# no ip addressRouter(config-if)# lacp rate fastRouter(config-if)# channel-protocol lacpRouter(config-if)# channel-group 102 mode active
Verification
Use these commands to verify EVC configuration.
Troubleshooting
For information on troubleshooting LACP support for EVC Port Channel feature, see Table 4-6.
Configuring Layer 2 Access Control Lists (ACLs) on an EVC
ACLs (Access Control Lists) perform the following tasks:
•
•
You can use a collection of sequential ACL rules to filter network traffic. Though the ACLs are applied on a network interface, you can use this feature to apply Layer 2 on different EVCs. Table 4-7 maps the supported layers with their parameters and Table 4-8 lists the commands used to activate the Layer 2 ACLs.
Table 4-7
Mapping between the ACL supported layers to the parameters
Table 4-8 ACL commands
Layer 2
Create a Layer 2 Access List
mac access-list extended {aclname}
Apply an Access list within the EVC
mac access-group {aclname} in
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure ACLs on a EVC:
•
•
•
•
•
•
•
•
Creating a Layer 2 Access Control List
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Applying a Layer 2 Access Control List
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
You can view the ACL counters for an EVC as shown in this example:
LLB-India-7#sh ethernet service instance id 1 int gig3/0/0 detailService Instance ID: 1L2 ACL (inbound): l2acl <=====Associated Interface: GigabitEthernet3/0/0Associated EVC: testL2protocol dropCE-Vlans:Interface Dot1q Tunnel Ethertype: 0x8100State: UpL2 ACL permit count: 0 <=====L2 ACL deny count: 0 <=====EFP Statistics:Pkts In Bytes In Pkts Out Bytes Out0 0 0 0
DHCP Snooping with Option-82 on EVC
DHCP snooping determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages traffic from untrusted sources.
To do this, DHCP snooping dynamically builds and maintains the DHCP snooping database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
Each entry in the DHCP snooping database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
Additionally, the DHCP Snooping with Option-82 feature can centrally manage the IP address assignments for a large number of subscribers. When this feature is enabled on the router, a subscriber device is identified by the router port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router and are uniquely identified.
However, EVCs require additional information. If each EVC on an interface is mapped to a single VPN, it would be possible to use the internal VLAN to identify the path for reply packets. However, because multiple EVCs with different encapsulations can map to the same VPN, it is necessary to use the actual EVC encapsulation to distinguish between EVCs.
The DHCP Snooping with Option-82 on EVC feature allows the user to provide this additional information required for EVC-enabled interfaces. This information is inserted into the option 82 and is also stored in the binding table for retrieval by other services.
Use the ip dhcp snooping information option allow-untrusted command to enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch. DHCP option 82 data insertion is enabled by default. Accepting incoming DHCP snooping packets with option 82 information from the edge switch is disabled by default.
Use the ip dhcp relay information option subscriber-id command to configure a subscriber string for an EVC that can be inserted into the option 82 field along with other information when relaying the DHCP packets to the server. The server can parse the option 82 information to match the subscriber string and act accordingly. The subscriber string configured for an EVC will not be stored in the binding table and is only used when sending DHCP packets to the server by inserting into the option 82 field.
For additional information on DHCP Snooping and Option-82 on the Cisco 7600 router, see Configuring DHCP Snooping at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/snoodhcp.html.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while you configure DHCP Snooping with Option-82:
•
•
–
–
–
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Example
This example shows a typical configuration on the relay agent and the server. This is a configuration on the relay agent:
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet8/1Router(config-if)# no ip addressRouter(config-if)# negotiation autoRouter(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# rewrite ingress tag pop 1 symmetricip dhcp relay information option subscriber-id 11Router(config-if-srv)# bridge-domain 100Router(config)# interface Vlan100Router(config-if)# ip address 10.0.0.1 255.255.255.0Router(config-if)# ip helper-address global 20.0.0.2Router(config-if)# ip helper-address 20.0.0.2Router(config)# interface GigabitEthernet 2/1Router(config-if)# ip dhcp snooping packetsRouter(config-if)# ip address 20.0.0.1 255.255.255.0Router(config-if)# negotiation auto!This is the configuration on the server:
:Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 1/1Router(config-if)# ip address 20.0.0.2 255.255.255.0Router(config-if)# negotiation autoRouter(config-if)# endRouter(config)# ip dhcp pool pool1Router(dhcp-config)# network 10.0.0.0 255.255.0.0lease 2Router(dhcp-config)# update arpclass C1address range 10.0.0.2 10.0.0.10class C2address range 10.0.0.11 10.0.0.20!Router(config)# ip dhcp pool pool2Router(config)# network 11.0.0.0 255.255.0.0 lease 2!Router(config)# ip dhcp pool pool3vrf vrf1Router(config)# network 10.0.0.0 255.255.255.0 lease 0 0 2!!ip dhcp class C1 <-----------Class C1 maps to the subcriber-id string aabb11.relay agent informationrelay-information hex 00000000000000000000000000000006616162623131 mask fffffffffffffffffffffffffffffff0000000000000!ip dhcp class C2relay agent informationrelay-information hex 00000000000000000000000000000006313162626161 mask fffffffffffffffffffffffffffffff0000000000000******************************************************************************************Verification
Use this commands to verify operation.
Router# show ip dhcp snooping
Displays all VLANs (both primary and secondary) that have DHCP snooping enabled.
Router# show ip dhcp snooping binding
Checks the DHCP snooping database.
Troubleshooting
Table 4-9 provides the troubleshooting solutions for the DHCP Snooping feature.
Table 4-9 Troubleshooting Scenarios for DHCP Snooping feature
DHCP snooping database is not storing any bindings
Complete the following steps to verify and troubleshoot:
1.
2.
3.
Bindings are not getting stored in the database agent
Read the database agent file to check if bindings are stored in that file. If not, go to Step 3 of the previous solution. If there is at least one binding stored in the database file , it implies that the database agent is working fine.
DHCP snooping is not active on the router
DHCP snooping is active on the router only when it is configured globally and on at least one interface VLAN. Check if the ip dhcp snooping command exists in the running and global configuration modes, and at least on one VLAN interface. If not, configure the feature as described in Configuring Layer 2 Access Control Lists (ACLs) on an EVC.
If the configurations exist, use the debug ip dhcp snooping packets command to check whether or not DHCP packets are being exchanged between the DHCP server and the client. If yes, proceed to Step 3 listed in the solution for " DHCP snooping database is not storing any bindings" problem. If not, check the configurations for the DHCP server and client and whether all the connections to the DHCP relay agent are fine. If the problem persists, contact TAC.
DHCP Snooping Over p-mLACP
The Dynamic Host Configuration Protocol (DHCP) snooping over a pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) feature synchronizes the DHCP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the DHCP database allows the multicast traffic to flow with the least interruption when the p-mLACP fails. This feature uses the Interchassis Communication Protocol (ICCP) to synchronize the DHCP snooping database with the peer PoAs to provide multi-chassis redundancy. When the multi-chassis Link Aggregation (mLAG) transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network. A system configured with DHCP snooping creates a DHCP snooping database, which contains DHCP snooping entries (MAC/IP bindings) learnt from the different VLANs.
The DHCP snooping binding data is added in the active supervisor after successfully synchronizing the snooping information between the local standby and remote PoAs (active and standby supervisor PoA).
Note
DHCP Snooping State Synchronization
The DHCP snooping state synchronization involves these steps:
0.
1.
2.
Restrictions for DHCP Snooping over p-mLACP
Following restrictions apply for the DHCP Snooping over p-mLACP feature:
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
Table 4-10 lists the scalability numbers for DHCP Snooping state synchronization:
Table 4-10 Scalability Numbers for p-mLACP DHCP Snooping State Synchronization
Troubleshooting Tips
Table 4-11 lists the commands to troubleshoot the p-mLACP DHCP Snooping State Synchronization.
Table 4-11 Troubleshooting Scenarios
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization
The pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) Internet Group Management Protocol (IGMP) Snooping State Synchronization feature synchronizes the IGMP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the IGMP database allows the multicast traffic to flow with the least interruption when an mLACP fails. The p-mLACP IGMP snooping function uses the Interchassis Communication Protocol (ICCP) to synchronize the IGMP snooping database with the peer PoAs. When the mLAG transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network.
Note
IGMP Snooping State Synchronization
The p-mLACP IGMP Snooping state synchronization involves these steps:
•
•
•
•
Figure 4-4 shows the basic p-mLACP IGMP Snooping State Synchronization process.
Figure 4-4 IGMP Snooping State Synchronization
Restrictions for p-mLACP IGMP Snooping State Synchronization
Following restrictions apply for the p-mLACP IGMP Snooping State Synchronization feature:
•
•
•
•
•
•
•
•
•
•
Table 4-12 lists the scalability numbers for IGMP snooping state synchronization.
Table 4-12 Scalability Numbers for p-mLACP IGMP Snooping State Synchronization
Note
Troubleshooting Tips
Table 4-13 lists the troubleshooting solutions for the p-mLACP IGMP Snooping State Sync implementation.
Table 4-13 Troubleshooting Scenarios
IP Source Guard for Service Instance
An IP source guard filters a source IP address on a layer 2 port and prevents malicious hosts from impersonating a legitimate host. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports.
Initially, all IP traffic on the service instance is blocked except for DHCP packets that are captured by DHCP snooping. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, the IP source guard for service instance feature automatically creates an access control list (ACL) to permit that traffic. Traffic from other hosts is denied. This filtering limits the ability of a host to attack the network by claiming the IP address of a neighbor host.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring IP source guard for a service instance:
•
•
•
•
•
•
Configuring IP Source Guard for a Service Instance
SUMMARY STEPS
1.
2.
3.
or
interface tengigabitethernet slot/port
or
interface port-channel number
4.
5.
6.
7.
Note
8.
9.
10.
11.
DETAILED STEPS
Example
This example shows how to configure IP source guard for a service instance with single tag (Dot1q) encapsulation.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet7/1Router(config-if)# no ip addressRouter(config-if)# service instance 71 ethernetRouter(config-if-srv)# encapsulation dot1q 71Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# ip verify source vlan dhcp-snoopingRouter(config-if-srv)# bridge-domain 10This is example shows how to configure IP source guard for a service instance with double tag (QinQ) encapsulation.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet7/1Router(config-if)# no ip addressRouter(config-if)# service instance 71 ethernetRouter(config-if-srv)# encapsulation dot1q 71 second-dot1q 100Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# ip verify source vlan dhcp-snoopingRouter(config-if-srv)# bridge-domain 10This example shows how to configure IP source guard for a service instance with untagged encapsulation.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet7/1Router(config-if)# no ip addressRouter(config-if)# service instance 71 ethernetRouter(config-if-srv)# encapsulation untaggedRouter(config-if-srv)# ip verify source vlan dhcp-snoopingRouter(config-if-srv)# bridge-domain 10This example shows how to configure IP source guard for a service instance with default encapsulation.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet7/1Router(config-if)# no ip addressRouter(config-if)# service instance 71 ethernetRouter(config-if-srv)# encapsulation defaultRouter(config-if-srv)# ip verify source vlan dhcp-snoopingRouter(config-if-srv)# bridge-domain 10This example shows how to configure IP source guard for a service instance with single tag encapsulation on a port-channel interface.
Router# enableRouter# configure terminalRouter(config)# interface port-channel 2Router(config-if)# no ip addressRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# ip verify source vlan dhcp-snoopingRouter(config-if-srv)# bridge-domain 10
Verification
Use the show ip verify source interface to verify the configuration:
router# show ip verify source interface gi5/1 efp_id 10Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP ID--------- ----------- ----------- --------------- ----------------- ---------- ----------Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10router# show ip verify source interface gi5/1Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP ID--------- ----------- ----------- --------------- ----------------- ---------- ----------Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10Gi5/1 ip-mac active 123.1.1.2 00:0A:00:0A:00:0B 100 20Gi5/1 ip-mac active 123.1.1.3 00:0A:00:0A:00:0C 100 30Troubleshooting
Table 4-14 provides troubleshooting solutions for the IP source guard feature.
Table 4-14
Troubleshooting Scenarios for IP Source Guard feature
Configuring MST on EVC Bridge Domain
The Multiple Spanning Tree (MST) on EVC Bridge Domain feature enables MST on EVC interfaces. It complements the H-VPLS N-PE Redundancy for QinQ and MPLS Access feature released in Cisco IOS Release 12.2(33)SRC. For more information on this feature, see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html.
This section describes how to configure MST on EVC Bridge Domain. It contains these topics:
•
•
Overview of MST and STP
Spanning Tree Protocol (STP) is a Layer 2 link-management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.
Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis.
MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).
For routers to participate in MST instances, you must consistently configure the routers with the same MST configuration information. A collection of interconnected routers that have the same MST configuration comprises an MST region. For two or more routers to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same MST name.
The MST configuration controls the MST region to which each router belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map.
A region can have one or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree instance at a time.
For additional information on STP and MST on the Cisco 7600 series routers, see Configuring STP and MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html
Overview of MST on EVC Bridge Domain
The MST on EVC Bridge-Domain feature uses VLAN IDs for service-instance-to-MST-instance mapping. EVC service instances with the same VLAN ID (the outer VLAN IDs in the QinQ case) as the one in another MST instance will be mapped to that MST instance.
EVC service instances can have encapsulations with a single tag as well as double tags. In case of double tag encapsulations, the outer VLAN ID shall be used for the MST instance mapping, and the inner VLAN ID is ignored.
A single VLAN per EVC is needed for the mapping with the MST instance. The following service instances without any VLAN ID or with multiple outer VLAN IDs are not supported:
•
•
•
•
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring MST on EVC bridge domain:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
nPE1#sh run int gi12/5Building configuration...Current configuration : 373 bytes!interface GigabitEthernet12/5description connected to CE1no ip addressservice instance 100 ethernetencapsulation dot1q 100 second-dot1q 1bridge-domain 100!service instance 101 ethernetencapsulation dot1q 100 second-dot1q 2bridge-domain 101!service instance 102 ethernetencapsulation dot1q 100 second-dot1q 120-140bridge-domain 102!endnPE1#sh run int gi12/6Building configuration...Current configuration : 373 bytes!interface GigabitEthernet12/6description connected to CE1no ip addressservice instance 100 ethernetencapsulation dot1q 100 second-dot1q 1bridge-domain 100!service instance 101 ethernetencapsulation dot1q 100 second-dot1q 2bridge-domain 101!service instance 102 ethernetencapsulation dot1q 100 second-dot1q 120-140bridge-domain 102!endnPE1#sh span vlan 100MST0Spanning tree enabled protocol mstpRoot ID Priority 32768Address 0018.742f.3b80Cost 0Port 2821 (GigabitEthernet12/5)Hello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32768 (priority 32768 sys-id-ext 0)Address 001a.303c.3400Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Gi12/5 Root FWD 20000 128.2821 P2pGi12/6 Altn BLK 20000 128.2822 P2pnPE1#SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Examples
In the following example, two interfaces participate in MST instance 0, the default instance to which all VLANs are mapped:
Router# enableRouter# configure terminalRouter(config)# interface g4/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# interface g4/3Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# endVerification
Use this command to verify the configuration:
Router# show spanning-tree vlan 2MST0Spanning tree enabled protocol mstpRoot ID Priority 32768Address 0009.e91a.bc40This bridge is the rootHello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32768 (priority 32768 sys-id-ext 0)Address 0009.e91a.bc40Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Gi4/1 Desg FWD 20000 128.1537 P2pGi4/3 Back BLK 20000 128.1540 P2p
In this example, interface gi4/1 and interface gi4/3 are connected back-to-back. Each has a service instance (EFP) attached to it. The EFP on both interfaces has an encapsulation VLAN ID of 2. Changing the VLAN ID from 2 to 8 in the encapsulation directive for the EFP on interface gi4/1 stops the MSTP from running in the MST instance to which the old VLAN is mapped and starts the MSTP in the MST instance to which the new VLAN is mapped:
Router(config-if)# interface g4/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encap dot1q 8Router(config-if-srv)# endUse this command to verify the configuration:
Router# show spanning-tree vlan 2MST1Spanning tree enabled protocol mstpRoot ID Priority 32769Address 0009.e91a.bc40This bridge is the rootHello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32769 (priority 32768 sys-id-ext 1)Address 0009.e91a.bc40Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Gi4/3 Desg FWD 20000 128.1540 P2pRouter# show spanning-tree vlan 8MST2Spanning tree enabled protocol mstpRoot ID Priority 32770Address 0009.e91a.bc40This bridge is the rootHello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32770 (priority 32768 sys-id-ext 2)Address 0009.e91a.bc40Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Gi4/1 Desg FWD 20000 128.1537 P2pIn this example, interface gi4/3 (with an EFP that has an outer encapsulation VLAN ID of 2 and a bridge domain of 100) receives a new service:
Router# enableRouter# configure terminalRouter(config)# interface g4/3Router((config-if)# service instance 2 ethernetRouter((config-if-srv)# encap dot1q 2 second-dot1q 100Router((config-if-srv)# bridge-domain 200Now there are two EFPs configured on interface gi4/3 and both of them have the same outer VLAN 2.
interface GigabitEthernet4/3no ip addressservice instance 1 ethernetencapsulation dot1q 2bridge-domain 100!service instance 2 ethernetencapsulation dot1q 2 second-dot1q 100bridge-domain 200The preceding configuration does not affect the MSTP operation on the interface; there is no state change for interface gi4/3 in the MST instance it belongs to.
Router# show spanning-tree mst 1##### MST1 vlans mapped: 2Bridge address 0009.e91a.bc40 priority 32769 (32768 sysid 1)Root this switch for MST1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Gi4/3 Desg FWD 20000 128.1540 P2pThis example shows MST on port channels:
Router# show spanning-tree mst 1##### MST1 vlans mapped: 3Bridge address 000a.f331.8e80 priority 32769 (32768 sysid 1)Root address 0001.6441.68c0 priority 32769 (32768 sysid 1)port Po5 cost 20000 rem hops 18Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Gi2/0/0 Desg FWD 20000 128.257 P2pPo5 Root FWD 10000 128.3329 P2pPo6 Altn BLK 10000 128.3330 P2pRouter# show spanning-tree vlan 3MST1Spanning tree enabled protocol mstpRoot ID Priority 32769Address 0001.6441.68c0Cost 20000Port 3329 (Port-channel5)Hello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 32769 (priority 32768 sys-id-ext 1)Address 000a.f331.8e80Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Gi2/0/0 Desg FWD 20000 128.257 P2pPo5 Root FWD 10000 128.3329 P2pPo6 Altn BLK 10000 128.3330 P2pTroubleshooting
Table 4-15 provides troubleshooting solutions for the MST on EVC Bridge Domain feature.
Table 4-15 Troubleshooting Scenarios
Configuring Link State Tracking (LST)
When a link failure occurs on a REP and MST segment, the associated protocols handle the link failure event. However, if the primary link to the switch is enabled even though the corresponding uplink ports on the switch are disabled, the REP and MST protocol is unaware of backbone side, and does not trigger a failover. The router continues to receive the traffic from the access side and then drops it discreetly due to lack of backbone connectivity. Link state tracking provides a solution to this problem by allowing the uplink interfaces to bind the link status to the down link ports. Uplink state tracking is configured such that when a set of uplink ports are disabled, other ports linked through CLI commands are disabled as well. The state of all the downlink interfaces are error-disabled only when all the upstream interfaces are disabled.
The LST triggers REP/MST re-convergence on the access side depending on the state of the core-facing interface. The link state of the core facing interface and the access facing interface are bound by link state tracking group.
LST facilitates:
–
–
–
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure the LST:
•
•
•
•
•
•
•
–
–
•
–
–
–
Configuring Link State Tracking
Perform the following tasks to configure a LST.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
This example shows how to create a link-state group and configure the interfaces:
Router# configure terminalRouter(config)# link state track 1Router(config)# interface gigabitethernet3/1Router(config-if)# link state group 1 upstreamRouter(config-if)# interface gigabitethernet3/3Router(config-if)# link state group 1 upstreamRouter(config-if)# interface gigabitethernet3/5Router(config-if)# link state group 1 downstreamRouter(config-if)# interface gigabitethernet3/7Router(config-if)# link state group 1 downstreamRouter(config-if)# endVerification
Use the show link state group command to display the link-state group information.
Router> show link state group 1Link State Group: 1 Status: Enabled, DownUse the show link state group detail command to display detailed information about the group.
Router> show link state group detail(Up):Interface up (Dwn):Interface Down (Dis):Interface disabledLink State Group: 1 Status: Enabled, DownUpstream Interfaces : Gi3/5(Dwn) Gi3/6(Dwn)Downstream Interfaces : Gi3/1(Dis) Gi3/2(Dis) Gi3/3(Dis) Gi3/4(Dis)Link State Group: 2 Status: Enabled, DownUpstream Interfaces : Gi3/15(Dwn) Gi3/16(Dwn) Gi3/17(Dwn)Downstream Interfaces : Gi3/11(Dis) Gi3/12(Dis) Gi3/13(Dis) Gi3/14(Dis)(Up):Interface up (Dwn):Interface Down (Dis):Interface disabledTroubleshooting the Link State Tracking
Table 4-16 lists the troubleshooting issues while configuring LST:
Table 4-16 Troubleshooting LST
Issues
MAC Address Security for EVC Bridge Domain
Cisco 7600 series routers currently support port security on a per-port basis. For more information, see Configuring Port Security at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/port_sec.html
The Media Access Control (MAC) Address Security for EVC Bridge Domain feature addresses port security with EVCs by providing the capability to control and filter MAC address learning behavior at the granularity of a per-EFP basis. For instance, when a violation requires a shutdown, only the customer assigned to a given EFP is affected rather than all customers using the port.
Port Security and the MAC Address Security for EVC Bridge Domain feature operate independently of each other.
Cisco IOS Release 12.2(33)SRE adds support for MAC address security on EVC port-channels.This feature operates on a port-channel interface in a similar manner to how it works on a physical port. In each case, MAC security is configured on a service instance associated with a bridge domain.
This section covers the following topics: This section contains the following topics:
•
•
•
•
•
•
•
•
•
•
Restrictions and Usage Guidelines
When configuring MAC Address Security for EVC Bridge Domain, follow these restrictions and usage guidelines:
•
–
–
–
•
•
•
•
•
Enabling MAC Address Security for EVC Bridge Domain
This section describes how to enable MAC address security for EVC bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
This example shows how to enable MAC address security for EVC bridge domain.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac securityThis example shows how to disable MAC address security for EVC bridge domain.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# no mac securityDisabling MAC Address Security for EVC Bridge Domain on an EFP
This section describes how to disable MAC address security for EVC bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Examples
This example shows how to disable MAC address security for EVC bridge domain.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# no mac securityConfiguring MAC Address Whitelist on an EFP
MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example shows how to configure whitelisted MAC addresses on an EFP that is a member of a bridge domain.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security address permit 0000.1111.2222Router(config-if-srv)# mac securityConfiguring Sticky MAC Addresses on an EFP
MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example configures sticky MAC addresses on an EFP.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security stickyRouter(config-if-srv)# mac securityConfiguring Secure MAC Address Aging on an EFP
This section shows how to configure aging of secured MAC addresses under MAC Security. Secured MAC addresses are not subject to the normal aging of MAC table entries in the system.By default, secure MAC addresses do not age out.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Examples
This example shows how to configure the aging time for secure addresses to 10 minutes.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security aging time 10Router(config-if-srv)# mac securityThis example shows a configuration where the aging out of addresses is based on inactivity of the sending hosts. An address will age out if it is not seen for 10 minutes.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security aging time 10 inactivityRouter(config-if-srv)# mac securityThe mac security aging time command only ages out secure addresses that are learned. To enable aging out of whitelist or sticky addresses when the mac security aging time command is configured, use the mac security aging static command (applies aging controls to statically configured addresses) or the mac security aging sticky command (applies aging controls to persistent, that is, sticky, addresses). The configuration below shows an example of applying aging to a sticky address.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 1/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac securityRouter(config-if-srv)# mac security stickyRouter(config-if-srv)# mac security aging time 100Configuring MAC Address Limiting on EFP
This section describes how to configure an upper limit for the number of secured MAC addresses allowed on an EFP. This includes addresses added as part of a whitelist, as well as dynamically learned MAC addresses. If the upper limit is decreased, one or more learned MAC entries may be removed. The default limit is 1.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example configures an upper limit of 10 for the number of secured MAC addresses allowed on an EFP.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security maximum addresses 10Router(config-if-srv)# mac securityConfiguring MAC Address Limiting on a Bridge Domain
This section describes how to configure an upper limit for the number of secured MAC addresses located on the bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
This example configures an upper limit of 1000 for the number of secured MAC addresses.
Router# enableRouter# configure terminalRouter(config)# bridge-domain 100Router(config-if-srv)# mac limit maximum address 1000
Configuring Violation Response on an EFP
This section describes how to specify the expected behavior of the device when an attempt to dynamically learn a MAC address fails because of a violation of the configured MAC Security policy on the EFP. The default violation behavior is termed as a EFP shutdown.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example configures a restrict violation response on EFP.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security violation restrictRouter(config-if-srv)# mac security
Error Recovery
This section describes how to recover from violation causing an EFP shutdown (default violation response) and contains the following sections:
Manual recovery
Automatic recovery
Manual Recovery
For manual recovery, use the clear ethernet service instance id id interface interface-name errdisable command to bring the service instance out of an error disabled state as shown below:
Router# enableRouter# configure terminal
Router# clear ethernet service instance id 10 interface gi1/1 errdisable
Automatic recovery
For automatic recovery, use the errdisable recovery cause mac security command. You must specify the timer interval. The valid value is from 30 to 86400 second. In the configuration example that follows, the EFP recovers 60 seconds after the violation causes the shutdown.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 2/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac securityRouter(config-if-srv)# errdisable recovery cause mac-security 60
Verification
Use the following commands to verify operation.
Troubleshooting
Table 4-17 provides troubleshooting solutions for the MAC Security feature.
Table 4-17 Troubleshooting Scenarios for MAC Security feature
CFM and PVST Co-Existence
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation. Currently, Ethernet CFM supports inward facing and outward facing Maintenance Endpoints (MEPs). For information on Ethernet Connectivity Fault Management, see http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html.
The CFM and PVST Co-Existence feature allows Per Vlan Spanning Tree (PVST) and CFM to co-exist on Cisco 7600 series routers.
The CFM and PVST Co-Existence feature makes use of these Ethernet components:
•
•
Each EFP is identified with an EVC. An EVC ID is globally unique within a network. In addition, an EFP is associated with one bridge domain. All the EFPs in a bridge domain belong to the same EVC (when specified).
For EFPs, untagged, single-tagged, and double-tagged encapsulations exist with dot1q, QinQ, and IEEE dot1ad Ether types. Different EFPs belonging to a bridge domain can have different encapsulations.
Restrictions and Usage Guidelines
When configuring CFM and PVST Co-Existence, follow these restrictions and usage guidelines:
•
–
–
–
–
–
•
•
–
–
–
•
–
CFM is enabled system wide except on supervisor ports due to spanning tree configuration on supervisor ports for CFM due to hardware limitations on these ports. Continued with enabling CFM system-wide to allow coexistence with other protocols such as PVST.
Administrator action may be required. Ensure no CFM traffic is presented to any supervisor ports via configuration. If not possible configure STP mode to MST and re-enable CFM or disable CFM completely.–
CFM is enabled system wide except it's disabled on supervisor ports due to spanning tree or GVRP configuration. Unable to program all port ASIC MAC match registers on supervisor ports for CFM due to hardware limitations on these ports. Continued with enabling CFM system-wide to allow coexistence with other protocols such such as PVST or GVRP.System has handled this by disabling CFM on all supervisor ports. If this is unacceptable configure STP mode to MST and re-enable CFM or disable CFM completely.
–
Unsupported module in slot 3, power not allowed: Module has insufficient match registers. Enabled relevant protocols include SSTP CFM_MULTICAST.
Note
Configuring PVST and CFM Co-Existence
Note
Note
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
The following example configures PVST and CFM Co-Existence:
Router# enableRouter# configure terminalRouter(config)# spanning-tree mode pvstRouter(config)# ethernet cfm enableConfiguring GVRP and CFM Co-Existence
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
The following example configures GVRP and CFM Co-Existence:
Router# enableRouter# configure terminalRouter(config)# gvrp globalRouter(config)# ethernet cfm enableConfiguring PVST and GVRP Co-Existence
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
The following example configures PVST and GVRP Co-Existence:
Router# enableRouter# configure terminalRouter(config)# ethernet cfm enableRouter(config)# spanning-tree mode pvstVerification
Use the following commands to verify operation.
Custom Ethertype for EVC Interfaces
The custom ethertype feature allows you to configure the ethertype to be used for outer tag for dot1q and QinQ packets. By default, the Cisco 7600 series router supports ethertype 0x8100 for dot1q and QinQ outer tags. The following ethertype can be configured under a physical port:
•
•
•
•
You can use the dot1 q tunneling ethertype ethertype-value command to configure the custom ethertype within a physical port.
In the following sample configuration, ethertype is set to 0x9100, service instance is created, and Rewrite process is initiated:
interface GigabitEthernet 1/1dot1q tunneling ethertype 0x9100service instance <number> ethernetencapsulation dot1q <vlan 1> [second-dot1q <vlan 2>]Rewrite <Rewrite>
Note
Note
Supported Rewrite Rules for a Custom Ethertype Configuration
Rewriting allows you to add or remove VLAN tags in the packets transferred between two customer sites in the service provider networks.
The following types of Rewrites are supported on a Network Network Interface (NNI):
•
•
Supported Rewrites for Non-Range on C-Tag with a NNI
When Custom Ethertype is configured within the NNI physical interface and VLAN range is not specified, the following Rewrites are supported for a provider bridge:
•
–
–
•
–
•
–
–
–
–
•
–
–
–
–
–
–
–
Supported Rewrites for Range on C-Tag with a NNI
When a VLAN range is specified on the C-Tag, push Rewrites are not supported. The following Rewrites are supported for VLAN range on C-Tag:
•
–
•
–
–
–
–
Note
Restrictions and Usage Guidelines
When configuring Custom Ethertype, follow these restrictions and usage guidelines:
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
Single Tag Encap with Connect with Custom Ethertype Configured
In the following example, Custom Ethertype is configured on a single tag encap using the connect configuration:
Router#sh running-config int Gi1/1//Building configuration...interface GigabitEthernet 1/1no ip addressdot1q tunneling ethertype 0x9100no mls qos trustservice instance 1 ethernetencapsulation dot1q 10Router#sh running-config int Gi1/2no ip addressdot1q tunneling ethertype 0x9100mls qos trust dscpservice instance 1 ethernetencapsulation dot1q 10Router)# connect LC1 GigabitEthernet 1/1 1 GigabitEthernet 1/2 1Single Tag Encap with Bridge Domain
In the following example, Custom Ethertype is configured on a single tag encap using bridge domain configuration:
Router#sh running-config int Gi1/1interface GigabitEthernet 1/1no ip addressdot1q tunneling ethertype 0x9100no mls qos trustservice instance 1 ethernetencapsulation dot1q 10bridge-domain 100Router#sh running-config int Gi1/2interface GigabitEthernet 1/2no ip addressdot1q tunneling ethertype 0x9100mls qos trust dscpservice instance 1 ethernetencapsulation dot1q 10bridge-domain 100Single Tag Encap with XConnect
In the following example, Custom Ethertype is configured on a single tag encap with xconnect configuration:
Router#sh running-config int Gi1/1interface GigabitEthernet 1/1no ip addressdot1q tunneling ethertype 0x9100no mls qos trustservice instance 1 ethernetencapsulation dot1q 10xconnect 3.3.3.3 10 encapsulation mplsRouter#sh running-config int Gi1/2interface GigabitEthernet 1/2ip address 10.10.10.2 255.255.255.0no mls qos trustmpls label protocol ldpmpls ipCustom Ethertype Support with Sub Interfaces
In this example, Custom Ethertype is configured on a sub interface. Custom Ethertype is always configured within the main physical interface and QinQ encap is configured within the subinterface.
Router#sh running-config int Gi1/1interface GigabitEthernet 1/1no ip addressdot1q tunneling ethertype 0x9100no mls qos trustendinterface GigabitEthernet 1/1.10encapsulation dot1Q 10 second-dot1q 20ip address 20.20.20.2 255.255.255.0endVerification
Use the following commands to verify operations.
Troubleshooting
Table 4-18 provides troubleshooting solutions for the Custom Ethertype feature.
Table 4-18
Troubleshooting Scenarios
GE LAG with LACP on UNI with Advanced Load Balancing
The GE Link Aggregation with Advanced Load Balancing feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.
Restrictions and Usage Guidelines
When configuring GE Link Aggregation with Advanced Load Balancing, follow these guidelines and restrictions:
•
–
–
For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,
Member 1—Load share bit 0, Member 2—Load share bit 1,
Member 3—Load share bit 2, Member 4—Load share bit 3,
Member 5—Load share bit 4, Member 6—Load share bit 5,
Member 6—Load share bit 6, Member 7—Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,
Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)
Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.
Configuring GE Link Aggregation with Advanced Load Balancing
This section describes how to configure GE LAG with LACP on UNI with Advanced Load Balancing.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Example
The following example shows four member links across two different channel-groups:
Router(config)# interface Gi0/1Router(config-if)# channel-group 1 mode on link 3Router(config)# interface Gi0/2Router(config-if)# channel-group 1 mode on link 4Router(config)# interface Gi0/3Router(config-if)# channel-group 2 mode on link 3Router(config)# interface Gi0/4Router(config-if)# channel-group 2 mode on link 7Router(config)# interface Port-channel1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1Q 10Router(config-if-srv)# service instance 20 ethernetRouter(config-if-srv)# encapsulation dot1Q 20Router(config-if-srv)# service instance 60 ethernetRouter(config-if-srv)# group 10Router(config-if-srv)# service instance 70 ethernetRouter(config-if-srv)# group 10Additional service instance definitions follow:
Router(config-if)# port-channel load-balance link 3Router(config-if-lb)# backup link 4Router(config-if-lb)# service-instance 10,20-22Router(config-if)# port-channel load-balance link 4Router(config-if-lb)# service-instance 30-40Router(config-if-lb)# group 10Router(config)# interface Port-channel2Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1Q 10Router(config-if)# port-channel load-balance link 3Router(config-if-lb)# backup link 7Router(config-if-lb)# service-instance 10Verification
Use the following commands to verify operation.
Troubleshooting Load Balancing Features
Table Table 4-20 provides troubleshooting solutions for the LoadBalancing features.
Table 4-20 Troubleshooting Scenarios
Storm Control on Switchports and Ports Having EVCs
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast or multicast traffic storm on physical interfaces. The traffic storm control level is set as a percentage of the total available bandwidth of the port.
For information on LAN-based Ethernet line card Broadcast Storm Control, see the chapter `Configuring Traffic Storm Control' in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide at: http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/storm.html.
This feature implements a mechanism to detect and control broadcast/multicast congestion/storm scenario via rate control mechanism in ES line cards.
Storm control for ES20 and ES+ cards is supported on:
•
Note
•
The feature is per port, not per EVC. Hence, all EVCs under the port are subject to the same storm control rate.
In Cisco IOS Release 15.0(1)S, the following storm control feature enhancements are covered on 67xx, 6196, ES20 and ES+ line cards:
•
•
•
Detecting a Broadcast Storm
A broadcast storm is detected when the following occurs:
•
•
Restrictions and Usage Guidelines
Use the following guidelines and restrictions while configuring traffic storm control:
Note
•
•
•
•
•
•
•
•
•
–
–
–
–
–
•
•
•
•
•
•
–
•
Configuring Storm Control on Ports with EVC Configurations
This section describes how to configure storm control on ports with EVC configurations.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Example
This example shows a configuration for ports with EVCs on them:
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 4/1Router(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 10Router(config-if)# storm-control multicast level 45
Configuring Storm Control on Switchports
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Example
This example shows a configuration for ports with switchport configuration:
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 4/1Router(config)# switchportRouter(config)# switchport mode trunkRouter(config)# storm-control multicast level 45Configuring Storm Control on Port Channels
Perform the following tasks to configure storm control on port channels:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
For more information regarding the commands, see the following command reference guides:
•
•
Example
The following is a sample configuration for storm control on a Layer 2 port channel on the ES+ line card:
interface Port-channel22switchportswitchport trunk encapsulation dot1qswitchport mode trunkstorm-control broadcast level 0.01storm-control multicast level 0.01storm-control action shutdownstorm-control action trapinterface GigabitEthernet2/13switchportswitchport mode trunkstorm-control broadcast level 0.01storm-control multicast level 0.01storm-control action shutdownstorm-control action trapchannel-group 22 mode oninterface GigabitEthernet2/21switchportswitchport mode trunkstorm-control broadcast level 0.01storm-control multicast level 0.01storm-control action shutdownstorm-control action trapchannel-group 22 mode onUse the show interfaces interface counters storm-control command to display the total suppression percentage of packets for the broadcast, multicast and unicast storm control traffic on all interfaces or on a specified interface. The storm control shutdown on an interface depends on the `TotalSuppDiscards' counter (displayed in the example). This counter increments when a traffic storm occurs.
Router# show interfaces counters storm-controlPort UcastSupp % McastSupp % BcastSupp % TotalSuppDiscardsGi1/1 100.00 100.00 100.00 0Gi1/2 100.00 100.00 100.00 0Gi1/3 100.00 100.00 100.00 0Gi1/4 100.00 100.00 100.00 0Gi1/5 100.00 100.00 100.00 0Gi1/6 100.00 100.00 100.00 0Gi1/7 100.00 20.00 20.00 2943374677Gi1/8 100.00 100.00 100.00 0Gi1/9 100.00 100.00 100.00 0Gi1/10 100.00 100.00 100.00 0Gi1/11 100.00 100.00 100.00 0Gi1/12 100.00 100.00 100.00 0Gi1/13 100.00 100.00 100.00 0Gi1/14 100.00 100.00 100.00 0Gi1/15 100.00 100.00 100.00 0Gi1/16 100.00 100.00 100.00 0Gi1/17 100.00 100.00 100.00 0Gi1/18 100.00 100.00 100.00 434529474Gi1/19 100.00 100.00 100.00 0Gi1/20 100.00 100.00 100.00 0Gi1/21 100.00 100.00 100.00 0Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscardsGi1/22 100.00 100.00 100.00 499018427Gi1/23 100.00 100.00 100.00 0Gi1/24 100.00 100.00 100.00 0Gi1/25 100.00 100.00 100.00 0Gi1/26 100.00 100.00 100.00 0Gi1/27 100.00 100.00 100.00 0Gi1/28 100.00 100.00 100.00 0Gi1/29 100.00 100.00 100.00 0Gi1/30 100.00 100.00 100.00 0Gi1/31 100.00 100.00 100.00 0Gi1/32 100.00 100.00 100.00 0Gi1/33 100.00 100.00 100.00 0Gi1/34 100.00 100.00 100.00 0Gi1/35 100.00 100.00 100.00 0Gi1/36 100.00 100.00 100.00 0Gi1/37 100.00 100.00 100.00 0Gi1/38 100.00 100.00 100.00 0Gi1/39 100.00 100.00 100.00 0Gi1/40 100.00 100.00 100.00 0Router#Router# show interfaces gig1/18 counters storm-controlPort UcastSupp % McastSupp % BcastSupp % TotalSuppDiscardsGi1/18 100.00 100.00 100.00 434529474Verification
Use the following commands to verify operation.
Table 4-21 Commands for Displaying Traffic Storm Control Status and Configuration
Router# show interfaces [{type1 slot/port} | switchport]
Displays the administrative and operational status of all Layer 2 LAN ports or the specified Layer 2 LAN port.
Router# show interfaces [{type1 slot/port} | counters storm-control
Router# show interfaces counters storm-control [module slot_number]
Displays the total number of packets discarded for all three traffic storm control modes, on all interfaces or on the specified interface.
1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
Storm Control over EVC
Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic, and degrading network performance.
Currently for ports where EVCs are configured, storm control can be configured per port. When you configure storm control on a port, policing is applied on all the traffic on that port. Each EVC in a port represents different types of customers such as different businesses or business and individuals on the same port. When a traffic storm occurs, all traffic on the port is blocked impacting customers on all the EVCs . To prevent this, service providers need to combine similar types of customers on the same port.
Effective with Cisco IOS 15.2(2)S, storm control is supported on EVCs and policing can be applied at the EVC level. This feature enables service providers to combine different type of customers on the same port.
Restrictions for Storm Control over EVC
Following restrictions apply to storm control over EVC:
•
•
•
•
•
•
•
•
•
•
Configuring Storm Control over EVC
Perform these steps to configure storm control over EVC feature.
Summary Steps
1.
2.
3.
or
interface port-channel number
4.
5.
6.
7.
8.
Detailed Steps
Note
Examples
This example shows how to configure storm control over an EVC.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 1/1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# bridge-domain 200Router(config-if-srv)# storm-control broadcast cir 11000000
Router(config-if)# end
This example shows how to configure storm control over a port channel EVC.
Router# enableRouter# configure terminalRouter(config)# interface port-channel 1Router(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 200Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# storm-control multicast cir 11000000
Router(config-if)# end
Verification
Use the show ethernet service instance id id interface type slot/port stats command to verify the storm control over EVC configuration.
Router# show ethernet service instance id 1204 interface gigabit ethernet 2/7 statsPort maximum number of service instances: 8000Service Instance 1204, Interface GigabitEthernet2/7Pkts In Bytes In Pkts Out Bytes Out2262238 452447600 150570 30114000StormControl Discard Pkts: 1809909
Asymmetric Carrier-Delay
During redundant link deployments where the remote network element is enabled, a link or port may be displayed as up before the port or link is ready to forward data. This anomaly leads to traffic loss during switchover as up events are notified faster than the required routing protocol convergence time. With existing conventional carrier delay, both up and down events are notified within equal time that might not be feasible in certain network deployments. Asymmetric carrier-delays ensure stable topologies compared to conventional carrier-delay implementation.
Table 4-22 lists the differences between the conventional carrier-delay and asymmetric carrier-delay implementations.
Table 4-22
Conventional Carrier-delay versus Asymmetric Carrier-delay
Restrictions and Usage Guidelines
•
•
•
•
•
Note
Configuring Asymmetric Carrier Delay
Perform these steps to configure asymmetric carrier delay.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verification
You can use the show run command to display the carrier-delay configurations on an ES+ physical interface. The first example shows asymmetric carrier-delay configuration and the second example shows symmetric carrier delay configuration.
Router# show running-config interface GigabitEthernet 8/0/4Building configuration...Current configuration:!interface GigabitEthernet8/0/4no ip addresscarrier-delay up 300carrier-delay down 10shutdownRouter# show running-config interface GigabitEthernet 2/0/1Building configuration...Current configuration:!interface GigabitEthernet2/0/1no ip addresscarrier-delay msec 10shutdownManual Load Balancing for EVC over Port-Channel/LACP
The Manual Load Balancing for EVC over Port-Channel/LACP feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.
Restrictions and Usage Guidelines
When configuring Manual Load Balancing for EVC over Port-Channel/LACP, follow these guidelines and restrictions:
•
–
–
For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,
Member 1—Load share bit 0, Member 2—Load share bit 1,
Member 3—Load share bit 2, Member 4—Load share bit 3,
Member 5—Load share bit 4, Member 6—Load share bit 5,
Member 6—Load share bit 6, Member 7—Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,
Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)
Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.
Configuring Manual Load Balancing for EVC over Port-Channel/LACP
This section describes how to configure manual load balancing for EVC over Port-Channel/LACP.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Example
The following example shows four member links across two different channel-groups:
Router(config)# interface Gi0/1Router(config-if)# channel-group 1 mode on link 3Router(config)# interface Gi0/2Router(config-if)# channel-group 1 mode on link 4Router(config)# interface Gi0/3Router(config-if)# channel-group 2 mode on link 3Router(config)# interface Gi0/4Router(config-if)# channel-group 2 mode on link 7Router(config)# interface Port-channel1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1Q 10Router(config-if-srv)# service instance 20 ethernetRouter(config-if-srv)# encapsulation dot1Q 20Router(config-if-srv)# service instance 60 ethernetRouter(config-if-srv)# group 10Router(config-if-srv)# service instance 70 ethernetRouter(config-if-srv)# group 10Additional service instance definitions follow:
Router(config-if)# port-channel load-balance link 3Router(config-if-lb)# backup link 4Router(config-if-lb)# service-instance 10,20-22Router(config-if)# port-channel load-balance link 4Router(config-if-lb)# service-instance 30-40Router(config-if-lb)# group 10Router(config)# interface Port-channel2Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1Q 10Router(config-if)# port-channel load-balance link 3Router(config-if-lb)# backup link 7Router(config-if-lb)# service-instance 10Verification
Use the following commands to verify operation.
EVC Port Channel Per Flow Load Balancing
EVC port channel per flow load balancing is implemented to load balance traffic across member links of a port channel when EVCs are configured. If this type of load balancing is not configured, EVCs configured on a port channel are statically mapped to one of the active port-channel member links, which results in the outgoing traffic being limited to the bandwidth of the member link.
In a flow based load balancing on EVC port channel, different flows of traffic over an EVC interface are identified based on the data packet header. For example, the source and destination address of the data packet can be used to identify a flow. The various data traffic flows are then mapped to the different member links of a port channel. After the mapping is complete, the data traffic is transmitted through the assigned member link. The flow mapping is dynamic and changes when there is any change in the state of a member link to which a flow is assigned. The flow mappings can also change if member links are added or removed from the EVC interface. Multiple flows can be mapped to each member link.
Table 4-24 lists the ACL support for EVC port channel with per-flow load balancing.
Table 4-24 ACL Support for
Port Channel Per-flow Load Balancing
Ingress ACLs are internally configured on every member interface because the traffic can enter any of the member links. Therefore, the load balancing algorithm does not change the way the ingress ACLs behave.
When per-flow load balancing is configured on the port-channel, traffic for an EVC can exit from any of the member links. Therefore, with the per-flow load balancing feature enabled on the port channel, the egress ACL is internally configured on each of the member links in the egress direction. When the per-flow load balancing configuration is removed from the port-channel interface, the egress ACL information is internally removed from each active member link, and configured on the member selected by the load balancing algorithm.
Restrictions
Following restrictions apply for EVC port channel per flow load balancing:
•
•
•
•
•
•
Configuring EVC Port Channel Per Flow Load Balancing
This section describes how to configure flow based load balancing on EVC port channel.
Summary Steps
1.
2.
3.
4.
5.
Detailed Steps
Example
This example shows configuring flow based load balancing on a port channel interface.
Router# enableRouter# configure terminalRouter(config)# interface Port-channel 1Router(config-if)# bandwidth 1000000Router(config-if)# port-channel load-balance flow-based
Router(config-if)# end
Verification
Use the show running-config interface port-channel channel-number command to verify the EVC port channel per flow load balancing configuration.
Router# enableRouter# configure terminalRouter(config)# interface Port-channel 2Router(config-if)# port-channel load-balance flow-based
Router(config-if)# bandwidth 1000000
Router(config-if)# end
Router# show running-config interface Port-channel 2
Building configuration...
Current configuration : 113 bytes
!
interface Port-channel2
band width 1000000
no ip address
port-channel load-balance flow-based
end
Configuring Layer 3 and Layer 4 ACLs
This section describes how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per flow load balancing.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Configuration Examples
This example shows how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per flow load balancing.
Router# enableRouter# configure terminalRouter(config)# interface port-channel 4Router(config-if)# mtu 9216Router(config-if)# no ip addressRouter(config-if)# port-channel load-balance flow-basedRouter(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 2Router(config-if-srv)# ip access-group acl3 outRouter(config-if-srv)# xconnect 2.2.2.2 2 encapsulation mplsRouter(config-if-srv)# endVerification
Use the show ip access-lists access-list-name command to list the ACL configuration.
Router# show ip access-lists acl3Extended IP access list acl310 permit tcp any eq 1003 any eq 5003Use the show ethernet service instance id id command to display information about ethernet customer service instances.
Router# show ethernet service instance id 3interface port-channel 4 stats Port maximum number of service instances: 8000 Service Instance 3, Interface Port-channel4Pkts In Bytes In Pkts Out Bytes Out0 0 14359328 1794916000SACL permit out count: 14362672SACL deny out count: 504376
Multichassis Support for LACP
Configured at the edge of a provider's network, Multichassis Link Aggregation Control Protocol (MLACP) features performs the following actions:
•
•
Each switch is a point of attachments (PoA), where one PoA is active, and the other is a standby, and the active PoA executes the multichassis link aggregation group with a DHD. A virtual LACP peer on the PoA is created giving the impression that a DHD is connected to one node.
shows the placement of PoAs and DHDs in an MLACP configuration.
Figure 4-5 Placement of PoAs and DHDs in an MLACP Implementation
The status of the PoAs during traffic relay are:
•
•
•
•
A switchover from an active PoA to a standby PoA occurs when there is a failure on the:
•
•
•
•
The default switchover mechanism uses dynamic port priority changes on the port channel and member link(s) to provide revertive mode and nonrevertive mode options. The default operation in a multi- chassis LACP is revertive.
Bruteforce is a switchover mechanism where the member link is in a err-disable state after a switchover. To recover the port channel and enable the member link on a new standby PoA, use the err disable recovery cause mlacp-minlink command in the global configuration mode.
Use the lacp max-bundle command on all the PoAs to operate in the PoA control and shared control modes. The max-bundle value argument should not be less than the total number of links in the Link Aggregation Group (LAG) that are connected to the PoA. Each PoA may be connected to the DHD with a different number of links for the LAG and, therefore, configured with a different value for the max-bundle value argument.
Note
Requirements and Restrictions
Follow these requirements and restrictions when configuring the MLACP feature in a ES40 line card:
•
•
•
•
•
•
•
–
–
–
–
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
–
–
The recommended configuration sequence is:
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPS
Examples
The following is a configuration example for Virtual Private Wire Services (VPWS):
ACTIVE POA
redundancyinterchassis group 100monitor peer bfdmember ip 172.3.3.3backbone interface GigabitEthernet2/3backbone interface GigabitEthernet2/4mlacp system-priority 200mlacp node-id 0!interface Port-channel1no ip addressload-interval 30speed nonegotiateport-channel min-links 4lacp failover brute-forcelacp fast-switchoverlacp max-bundle 4mlacp lag-priority 28000mlacp interchassis group 100service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricxconnect 172.2.2.2 2 pw-class mlacpbackup peer 172.4.4.4 2 pw-class mlacp!pseudowire-class mlacpencapsulation mplsstatus peer topology dual-homedmpls ldp graceful-restart!!interface Loopback0ip address 172.1.1.1 255.255.255.255!interface GigabitEthernet2/3ip address 120.0.0.1 255.255.255.0carrier-delay msec 0mpls ipbfd interval 100 min_rx 100 multiplier 3!interface GigabitEthernet2/9no ip addressspeed 1000channel-group 1 mode activeUse the show lacp multi-chassis group command to display the interchassis redundancy group value and the operational LACP parameters.
MLACP-PE1#show lacp multi-chassis group 100Interchassis Redundancy Group 100Operational LACP Parameters:RG State: SynchronizedSystem-Id: 200.000a.f331.2680ICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 0System-Id: 200.000a.f331.2680Peer Information:State: UpNode-id: 7System-Id: 2000.0014.6a8b.c680ICCP Version: 0State Flags: Active - AStandby - SDown - DAdminDown - ADStandby Reverting - SRUnknown - UmLACP Channel-groupsChannel State Priority Active Links Inactive LinksGroup Local/Peer Local/Peer Local/Peer Local/Peer1 A/S 28000/32768 4/4 0/0Use the show lacp multi-chassis portchannel command to display the interface port-channel value
channel group, LAG state, priority, inactive links peer configuration, and standby links.
MLACP-PE1#show lacp multi-chassis port-channel 1Interface Port-channel1Local Configuration:Address: 000a.f331.2680Channel Group: 1State: ActiveLAG State: UpPriority: 28000Inactive Links: 0Total Active Links: 4Bundled: 4Selected: 4Standby: 0Unselected: 0Peer Configuration:Interface: Port-channel1Address: 0014.6a8b.c680Channel Group: 1State: StandbyLAG State: UpPriority: 32768Inactive Links: 0Total Active Links: 4Bundled: 0Selected: 0Standby: 4Unselected: 0Use the show mpls ldp iccp command to display the LDP session and ICCP state information.
MLACP-PE1#show mpls ldp iccpICPM RGID Tableiccp:rg_id: 100, peer addr: 172.3.3.3ldp_session 0x3, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM RGID Table total ICCP sessions: 1ICPM LDP Session Tableiccp:rg_id: 100, peer addr: 172.3.3.3ldp_session 0x3, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM LDP Session Table total ICCP sessions: 1Use the show mpls l2transport command to display the local interface and session details, destination address, and status.
MLACP-PE1#show mpls l2transport vc 2Local intf Local circuit Dest address VC ID Status------------- -------------------------- --------------- ---------- ----------Po1 Eth VLAN 2 172.2.2.2 2 UPPo1 Eth VLAN 2 172.4.4.4 2 STANDBYUse the show etherchannel summary command to display the status and identity of the MLACP member links.
MLACP-PE1#show etherchannel summaryFlags: D - down P - bundled in port-channelI - stand-alone s - suspendedH - Hot-standby (LACP only)R - Layer3 S - Layer2U - in use f - failed to allocate aggregatorM - not in use, minimum links not metu - unsuitable for bundlingw - waiting to be aggregatedd - default portNumber of channel-groups in use: 2Number of aggregators: 2Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(RU) LACP Gi2/9(P) Gi2/20(P) Gi2/31(P)Use the show lacp internal command to display the device, port, and member- link information.
MLACP-PE1#show lacp internalFlags: S - Device is requesting Slow LACPDUsF - Device is requesting Fast LACPDUsA - Device is in Active mode P - Device is in Passive modeChannel group 1LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateGi2/9 SA bndl-act 28000 0x1 0x1 0x820A 0x3DGi2/20 SA bndl-act 28000 0x1 0x1 0x8215 0x3DGi2/31 SA bndl-act 28000 0x1 0x1 0x8220 0x3DGi2/40 SA bndl-act 28000 0x1 0x1 0x8229 0x3DPeer (MLACP-PE3) mLACP member linksGi3/11 FA hot-sby 32768 0x1 0x1 0xF30C 0x5Gi3/21 FA hot-sby 32768 0x1 0x1 0xF316 0x5Gi3/32 FA hot-sby 32768 0x1 0x1 0xF321 0x7Gi3/2 FA hot-sby 32768 0x1 0x1 0xF303 0x7POA2
redundancyinterchassis group 100monitor peer bfdmember ip 172.1.1.1backbone interface GigabitEthernet3/3backbone interface GigabitEthernet3/5mlacp system-priority 2000mlacp node-id 7!interface Port-channel1no ip addressload-interval 30speed nonegotiateport-channel min-links 4lacp failover brute-forcelacp fast-switchoverlacp max-bundle 4mlacp interchassis group 100service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricxconnect 172.2.2.2 2 pw-class mlacpbackup peer 172.4.4.4 2 pw-class mlacp!pseudowire-class mlacpencapsulation mplsstatus peer topology dual-homedmpls ldp graceful-restart!!interface Loopback0ip address 172.3.3.3 255.255.255.255!interface GigabitEthernet3/2channel-group 1 mode active!interface GigabitEthernet3/3ip address 123.0.0.2 255.255.255.0mpls ipmpls label protocol ldpbfd interval 100 min_rx 100 multiplier 3!Use the show lacp multi-chassis group command to display the LACP parameters, local configuration, status of the backbone uplink, peer information, node ID, channel, state, priority active, and inactive links.
MLACP-PE3#show lacp multi-chassis group 100Interchassis Redundancy Group 100Operational LACP Parameters:RG State: SynchronizedSystem-Id: 200.000a.f331.2680ICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 7System-Id: 2000.0014.6a8b.c680Peer Information:State: UpNode-id: 0System-Id: 200.000a.f331.2680ICCP Version: 0State Flags: Active - AStandby - SDown - DAdminDown - ADStandby Reverting - SRUnknown - UmLACP Channel-groupsChannel State Priority Active Links Inactive LinksGroup Local/Peer Local/Peer Local/Peer Local/Peer1 S/A 32768/28000 4/4 0/0Use the show lacp multi-chassis portchannel command to display the interface port-channel value channel group, LAG state, priority, inactive links peer configuration, and standby links.
MLACP-PE3#show lacp multi-chassis port-channel 1Interface Port-channel1Local Configuration:Address: 0014.6a8b.c680Channel Group: 1State: StandbyLAG State: UpPriority: 32768Inactive Links: 0Total Active Links: 4Bundled: 0Selected: 0Standby: 4Unselected: 0Peer Configuration:Interface: Port-channel1Address: 000a.f331.2680Channel Group: 1State: ActiveLAG State: UpPriority: 28000Inactive Links: 0Total Active Links: 4Bundled: 4Selected: 4Standby: 0Unselected: 0Use the show mpls ldp iccp command to display the LDP session and ICCP state information.
MLACP-PE3#show mpls ldp iccpICPM RGID Tableiccp:rg_id: 100, peer addr: 172.1.1.1ldp_session 0x2, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM RGID Table total ICCP sessions: 1ICPM LDP Session Tableiccp:rg_id: 100, peer addr: 172.1.1.1ldp_session 0x2, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM LDP Session Table total ICCP sessions: 1MLACP-PE3#sh mpls l2transport vc 2Local intf Local circuit Dest address VC ID Status------------- -------------------------- --------------- ---------- ----------Po1 Eth VLAN 2 172.2.2.2 2 STANDBYPo1 Eth VLAN 2 172.4.4.4 2 STANDBYUse the show etherchannel summary command to display the status and identity of the MLACP member links.
MLACP-PE3#show etherchannel summaryFlags: D - down P - bundled in port-channelI - stand-alone s - suspendedH - Hot-standby (LACP only)R - Layer3 S - Layer2U - in use f - failed to allocate aggregatorM - not in use, minimum links not metu - unsuitable for bundlingw - waiting to be aggregatedd - default portNumber of channel-groups in use: 2Number of aggregators: 2Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(RU) LACP Gi3/2(P) Gi3/11(P) Gi3/21(P)Gi3/32(P)Use the show lacp internal command to display the device, port, and member- link information.
MLACP-PE3#show lacp 1 internalFlags: S - Device is requesting Slow LACPDUsF - Device is requesting Fast LACPDUsA - Device is in Active mode P - Device is in Passive modeChannel group 1LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateGi3/2 FA bndl-sby 32768 0x1 0x1 0xF303 0x7Gi3/11 FA bndl-sby 32768 0x1 0x1 0xF30C 0x5Gi3/21 FA bndl-sby 32768 0x1 0x1 0xF316 0x5Gi3/32 FA bndl-sby 32768 0x1 0x1 0xF321 0x7Peer (MLACP-PE1) mLACP member linksGi2/20 SA bndl 28000 0x1 0x1 0x8215 0x3DGi2/31 SA bndl 28000 0x1 0x1 0x8220 0x3DGi2/40 SA bndl 28000 0x1 0x1 0x8229 0x3DGi2/9 SA bndl 28000 0x1 0x1 0x820A 0x3DMLACP-PE3#The following is a configuration example for a Virtual Private Lan Service (VPLS):
Active POA
redundancyinterchassis group 100monitor peer bfdmember ip 172.3.3.3backbone interface GigabitEthernet2/3backbone interface GigabitEthernet2/4mlacp system-priority 200mlacp node-id 0!interface Port-channel1no ip addressspeed nonegotiateport-channel min-links 2lacp fast-switchoverlacp max-bundle 4mlacp lag-priority 28800mlacp interchassis group 100service instance 4000 ethernetencapsulation dot1q 4000rewrite ingress tag pop 1 symmetricbridge-domain 4000!l2 vfi VPLS manualvpn id 4000neighbor 172.2.2.2 encapsulation mplsneighbor 172.4.4.4 encapsulation mplsstatus decoupled!interface Vlan4000xconnect vfi VPLS!mpls ldp graceful-restart!interface Loopback0ip address 172.1.1.1 255.255.255.255!interface GigabitEthernet2/3ip address 120.0.0.1 255.255.255.0carrier-delay 0mpls ipbfd interval 100 min_rx 100 multiplier 3!interface GigabitEthernet2/9channel-group 1 mode active!Use the show lacp mg command to display the LACP parameters, local configuration, status of the
backbone uplink, peer information, node ID, channel, state, priority active, and inactive links.
MLACP-PE1# show lacp multi-chassis group 100Interchassis Redundancy Group 100Operational LACP Parameters:RG State: SynchronizedSystem-Id: 200.000a.f331.2680ICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 0System-Id: 200.000a.f331.2680Peer Information:State: UpNode-id: 7System-Id: 2000.0014.6a8b.c680ICCP Version: 0State Flags: Active - AStandby - SDown - DAdminDown - ADStandby Reverting - SRUnknown - UmLACP Channel-groupsChannel State Priority Active Links Inactive LinksGroup Local/Peer Local/Peer Local/Peer Local/Peer1 A/S 28000/32768 4/4 0/0Use the show lacp multi-chassis portchannel command to display the interface port-channel value
channel group, LAG state, priority, inactive links peer configuration, and standby links.
MLACP-PE1# show lacp multi-chassis port-channel 1Interface Port-channel1Local Configuration:Address: 000a.f331.2680Channel Group: 1State: ActiveLAG State: UpPriority: 28000Inactive Links: 0Total Active Links: 4Bundled: 4Selected: 4Standby: 0Unselected: 0Peer Configuration:Interface: Port-channel1Address: 0014.6a8b.c680Channel Group: 1State: StandbyLAG State: UpPriority: 32768Inactive Links: 0Total Active Links: 4Bundled: 0Selected: 0Standby: 4Unselected: 0Use the show mpls ldp iccp command to display the LDP session and ICCP state information.
MLACP-PE1# show mpls ldp iccpICPM RGID Tableiccp:rg_id: 100, peer addr: 172.3.3.3ldp_session 0x3, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM RGID Table total ICCP sessions: 1ICPM LDP Session Tableiccp:rg_id: 100, peer addr: 172.3.3.3ldp_session 0x3, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM LDP Session Table total ICCP sessions: 1Use the show mpls l2transport command to display the local interface and session details, destination address, and the status.
MLACP-PE1# show mpls l2transport vc 4000Local intf Local circuit Dest address VC ID Status------------- -------------------------- --------------- ---------- ----------VFI VPLS VFI 172.2.2.2 4000 UPVFI VPLS VFI 172.4.4.4 4000 UPUse the show etherchannel summary command to display the status and identity of the MLACP member links.
MLACP-PE1# show etherchannel summaryFlags: D - down P - bundled in port-channelI - stand-alone s - suspendedH - Hot-standby (LACP only)R - Layer3 S - Layer2U - in use f - failed to allocate aggregatorM - not in use, minimum links not metu - unsuitable for bundlingw - waiting to be aggregatedd - default portNumber of channel-groups in use: 2Number of aggregators: 2Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(RU) LACP Gi2/9(P) Gi2/20(P) Gi2/31(P)Gi2/40(P)Use the show lacp internal command to display the device, port, and member-link information.
MLACP-PE1# show lacp internalFlags: S - Device is requesting Slow LACPDUsF - Device is requesting Fast LACPDUsA - Device is in Active mode P - Device is in Passive modeChannel group 1LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateGi2/9 SA bndl-act 28000 0x1 0x1 0x820A 0x3DGi2/20 SA bndl-act 28000 0x1 0x1 0x8215 0x3DGi2/31 SA bndl-act 28000 0x1 0x1 0x8220 0x3DGi2/40 SA bndl-act 28000 0x1 0x1 0x8229 0x3DPeer (MLACP-PE3) mLACP member linksGi3/11 FA hot-sby 32768 0x1 0x1 0xF30C 0x5Gi3/21 FA hot-sby 32768 0x1 0x1 0xF316 0x5Gi3/32 FA hot-sby 32768 0x1 0x1 0xF321 0x7Gi3/2 FA hot-sby 32768 0x1 0x1 0xF303 0x7Configuration example on a standby PoA:
redundancyinterchassis group 100monitor peer bfdmember ip 172.1.1.1backbone interface GigabitEthernet3/3backbone interface GigabitEthernet3/5mlacp system-priority 2000mlacp node-id 7!interface Port-channel1no ip addressspeed nonegotiateport-channel min-links 2lacp fast-switchoverlacp max-bundle 4mlacp lag-priority 28800mlacp interchassis group 100service instance 4000 ethernetencapsulation dot1q 4000rewrite ingress tag pop 1 symmetricbridge-domain 4000!l2 vfi VPLS manualvpn id 4000neighbor 172.2.2.2 encapsulation mplsneighbor 172.4.4.4 encapsulation mplsstatus decoupled!interface Vlan4000xconnect vfi VPLS!mpls ldp graceful-restart!!interface Loopback0ip address 172.3.3.3 255.255.255.255!interface GigabitEthernet3/2channel-group 1 mode active!interface GigabitEthernet3/3ip address 123.0.0.2 255.255.255.0mpls ipmpls label protocol ldpbfd interval 100 min_rx 100 multiplier 3!Use the show lacp multi-chassis group interchassis group number command to display the LACP parameters, local configuration, status of the backbone uplink, peer information, nodeID, channel, state, priority, active, and inactive links.
MLACP-PE3# show lacp multi-chassis group 100Interchassis Redundancy Group 100Operational LACP Parameters:RG State: SynchronizedSystem-Id: 200.000a.f331.2680ICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 7System-Id: 2000.0014.6a8b.c680Peer Information:State: UpNode-id: 0System-Id: 200.000a.f331.2680ICCP Version: 0State Flags: Active - AStandby - SDown - DAdminDown - ADStandby Reverting - SRUnknown - UmLACP Channel-groupsChannel State Priority Active Links Inactive LinksGroup Local/Peer Local/Peer Local/Peer Local/Peer1 S/A 32768/28000 4/4 0/0Use the show lacp multi-chassis portchannel command to display the interface port-channel value
channel group, LAG state, priority, inactive links peer configuration, and standby links.
MLACP-PE3# show lacp multi-chassis port-channel 1Interface Port-channel1Local Configuration:Address: 0014.6a8b.c680Channel Group: 1State: StandbyLAG State: UpPriority: 32768Inactive Links: 0Total Active Links: 4Bundled: 0Selected: 0Standby: 4Unselected: 0Peer Configuration:Interface: Port-channel1Address: 000a.f331.2680Channel Group: 1State: ActiveLAG State: UpPriority: 28000Inactive Links: 0Total Active Links: 4Bundled: 4Selected: 4Standby: 0Unselected: 0MLACP-PE3# show mpls ldp iccpICPM RGID Tableiccp:rg_id: 100, peer addr: 172.1.1.1ldp_session 0x2, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM RGID Table total ICCP sessions: 1ICPM LDP Session Tableiccp:rg_id: 100, peer addr: 172.1.1.1ldp_session 0x2, client_id 0iccp state: ICPM_ICCP_CONNECTEDapp type: MLACPapp state: ICPM_APP_CONNECTED, ptcl ver: 0ICPM LDP Session Table total ICCP sessions: 1MLACP-PE3# sh mpls l2transport vc 2Local intf Local circuit Dest address VC ID Status------------- -------------------------- --------------- ---------- ----------VFI VPLS VFI 172.2.2.2 4000 UPVFI VPLS VFI 172.4.4.4 4000 UPUse the show etherchannel summary command to display the status and identity of the MLACP member
links.
MLACP-PE3#show etherchannel summaryFlags: D - down P - bundled in port-channelI - stand-alone s - suspendedH - Hot-standby (LACP only)R - Layer3 S - Layer2U - in use f - failed to allocate aggregatorM - not in use, minimum links not metu - unsuitable for bundlingw - waiting to be aggregatedd - default portNumber of channel-groups in use: 2Number of aggregators: 2Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(RU) LACP Gi3/2(P) Gi3/11(P) Gi3/21(P)Gi3/32(P)Use the show lacp internal command to display the device, port, and member- link information.
MLACP-PE3# show lacp 1 internalFlags: S - Device is requesting Slow LACPDUsF - Device is requesting Fast LACPDUsA - Device is in Active mode P - Device is in Passive modeChannel group 1LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateGi3/2 FA bndl-sby 32768 0x1 0x1 0xF303 0x7Gi3/11 FA bndl-sby 32768 0x1 0x1 0xF30C 0x5Gi3/21 FA bndl-sby 32768 0x1 0x1 0xF316 0x5Gi3/32 FA bndl-sby 32768 0x1 0x1 0xF321 0x7Peer (MLACP-PE1) mLACP member linksGi2/20 SA bndl 28000 0x1 0x1 0x8215 0x3DGi2/31 SA bndl 28000 0x1 0x1 0x8220 0x3DGi2/40 SA bndl 28000 0x1 0x1 0x8229 0x3DGi2/9 SA bndl 28000 0x1 0x1 0x820A 0x3DMLACP-PE3#Pseudo MLACP Support on Cisco 7600
In dual homing, a device is connected to the network using two independent access points or points of attachments (POAs). One POA is the primary connection and the other is a standby connection that is activated in the event of a failure of the primary connection. The Multi-chassis Link Aggregation Protocol (MLACP) solution is an active and standby Provider Edge (PE) redundancy mechanism. The Pseudo MLACP (PMLACP) feature introduced in Cisco IOS release 15.1(3)S, provides a flexible dual homing redundancy mechanism where both the connections are in the active mode (active-active mode). In PMLACP implementation, a PMLACP application is implemented on the PE router. Both the POA ports are placed in active mode with manual VLAN load balancing.
PMLACP provides higher bandwidth utilization than MLACP and other active and standby link level schemes. PMLACP provides VLAN based redundancy by allowing you to configure one primary and one secondary interface pair for each member VLAN. The POAs determine which POA is active and standby for each VLAN on a Multi-Chassis Link Aggregation (MLAG) and only the active POA forwards frames for the respective VLAN. Additionally PMLACP allows maximum flexibility for the PE-CE inter operability in terms of dual-homing redundancy and failover recovery.
Figure 4-6 explains the PMLACP implementation with manual VLAN load-balancing configuration.
Figure 4-6 PMLACP Implementation
In the illustration, POA ports are configured for a PMLACP role, and ports are configured in active-active mode with manual VLAN load-balancing. The POAs are configured to allow certain VLANs on one of their downlinks but not the other VLANs. The POA activates its uplinks for locally active VLANs. DHD is configured to enable all VLANs on both its uplinks. Traffic from DHD is initially flooded on both uplinks until DHD learns which uplink is active for which VLANs.
Failover Operations
The PMLACP feature provides network resiliency by protecting against port, link, and node failures.
Figure 4-7 explains the failure points in a network.
Figure 4-7
PMLACP Failover Protection
These failures can be categorized into five types.
•
•
•
•
•
The failover operations are triggered by three different events.
•
•
•
All the three failover events involve the peer POA receiving a notification of the failure. At this point the receiving standby POA completes the following steps:
1.
2.
3.
Failure Recovery
PMLACP uses revertive mode after a failure recovery to support the active-active model. The reversal process is also similar to the failover process. The standby POA initates the reversal for each VLAN by indicating that the POA is relinquishing its active role for the VLAN. This is done though an ICCP PLACP interface state TLV message, which indicates that it is no longer in active mode for the affected VLANs. Upon TLV receipt, the recovering POA unblocks the affected VLANs and triggers the MAC flushes towards access side and core side.
Revertive mode is enabled by default. If you want to choose when to trigger reversion after the failover recovery, you can configure non revertive mode. The non revertive mode is enabled by configuring the command lacp failover non-revertive under port channel.
Restrictions for PMLACP on Cisco 7600
Follow this restrictions and usage guidelines while configuring PMLACP.
•
•
•
•
•
•
•
•
•
•
•
–
–
–
Configuring PMLACP on Cisco 7600
Complete the following steps to configure PMLACP on the Cisco 7600 router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
or
brige-domain bridge-domain-id
30.
31.
32.
33.
34.
DETAILED STEPS
Configuration Examples
This is a configuration example for PMLACP with EVC xconnect on two POAs, A and B. In this example primary VLAN range is configured as 100-109 on router A and 110-120 on router B. The VLAN range is interchanged so that the primary VLAN range of router A becomes the secondary VLAN range in router B and the secondary VLAN range of router A becomes the primary VLAN range in router B.
RouterA> enableRouterA# configure terminalRouterA(config)# pseudowire-class vpwsRouterA(config-pw-class)# encapsulation mplsRouterA(config-pw-class)# status peer topology dual-homedRouterA(config-pw-class)# exitRouterA(config)# l2 vfi vpls manualRouterA(config-vfi)# vpn id 100RouterA(config-vfi)# neighbor 3.3.3.3 encapsulation mplsRouterA(config-vfi)# exitRouterA(config)# redundancyRouterA(config-red)# interchassis group 100RouterA(config-r-ic)# monitor peer bfdRouterA(config-r-ic)# member ip 2.2.2.2RouterA(config-r-ic)# backbone interface GigabitEthernet8/0/10RouterA(config-r-ic)# mlacp system-priority 100RouterA(config-r-ic)# mlacp node-id 1Router(config)# interface Port-channel10RouterA(config-if)# no ip addressRouterA(config-if)# mlacp interchassis group 100RouterA(config-if)# mlacp mode active-activeRouterA(config-if)# mlacp load-balance primary vlan 100-109RouterA(config-if)# mlacp load-balance secondary vlan 110-120RouterA(config-if)# ethernet vlan color-block allRouterA(config-if)# service instance 10 ethernetRouterA(config-if-srv)# encapsulation dot1q 100RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetricRouterA(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpwsRouterA(config-if-srv)# backup peer 4.3.3.3 91RouterA(config-if)# service instance 11 ethernetRouterA(config-if-srv)# encapsulation dot1q 101RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetricRouterA(config-if-srv)# bridge-domain 201RouterA(config-if-srv)# exitRouterA(config-if)# exitRouterA(config)# interface vlan 201RouterA(config-if)# no shutdown
RouterA(config-if)# xconnect vfi vpls
RouterA(config-if)# endRouterB> enableRouterB# configure terminalRouterB(config)# pseudowire-class vpwsRouterB(config-pw-class)# encapsulation mplsRouterB(config-pw-class)# status peer topology dual-homedRouterB(config-pw-class)# exitRouterB(config)# l2 vfi vpls manualRouterB(config-vfi)# vpn id 100RouterB(config-vfi)# neighbor 3.3.3.3 encapsulation mplsRouterB(config-vfi)# exitRouterB(config)# redundancyRouterB(config-red)# interchassis group 100RouterB(config-r-ic)# monitor peer bfdRouterB(config-r-ic)# member ip 1.1.1.1RouterB(config-r-ic)# backbone interface GigabitEthernet8/0/10RouterB(config-r-ic)# mlacp system-priority 100RouterB(config-r-ic)# mlacp node-id 2Router(config)# interface Port-channel 10RouterB(config-if)# no ip addressRouterB(config-if)# mlacp interchassis group 100RouterB(config-if)# mlacp mode active-activeRouterB(config-if)# mlacp load-balance primary vlan 110-120RouterB(config-if)# mlacp load-balance secondary vlan 100-109RouterB(config-if)# ethernet vlan color-block allRouterB(config-if)# service instance 10 ethernetRouterB(config-if-srv)# encapsulation dot1q 100RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetricRouterB(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpwsRouterB(config-if-srv)# backup peer 4.3.3.3 91RouterB(config-if)# service instance 11 ethernetRouterB(config-if-srv)# encapsulation dot1q 101RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetricRouterB(config-if-srv)# bridge-domain 201RouterB(config-if-srv)# exitRouterB(config-if)# exitRouterB(config)# interface vlan 201RouterB(config-if)# no shutdownRouterB(config-if)# xconnect vfi vpls
RouterB(config-if)# endVerification
Use the show lacp multi-chassis load-balance port-channel number command to verify the PMLACP configuration information on the port channel interface.
PE1# show lacp multi-chassis load-balance port-channel 10Interface Port-Channel 10Local Configuration:P-mLACP Enabled: YesRedundancy Group: 100Revertive Mode: Non-RevertivePrimary VLANs: 4001-4002,4004-4005,4007-4010Secondary VLANs: 4012-4013,4015-4016,4018-4021Local Interface State:Interface ID: 10Port State: UpPrimary VLAN State: StandbySecondary VLAN State: StandbyPeer Interface State:Interface ID: 10Primary VLAN State: ActiveSecondary VLAN State: ActiveUse the show lacp multi-chassis group command to display the interchassis redundancy group and the operational LACP parameters.
PE1# show lacp multi-chassis group
Interchassis Redundancy Group 100Operational LACP Parameters:RG State: SynchronizedSystem-Id: 32768.001b.0de6.3080ICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 1System-Id: 32768.001b.0de6.3080Peer Information:State: UpNode-id: 2System-Id: 32768.f866.f2d2.6680ICCP Version: 0State Flags: Active - AStandby - SDown - DAdminDown - ADStandby Reverting - SRUnknown - UmLACP Channel-groupsChannel State Priority Active Links Inactive LinksGroup Local/Peer Local/Peer Local/Peer Local/Peer10 A/A 32768/32768 2/2 0/0Redundancy Group 100 (0x64)Applications connected: mLACP, Pseudo-mLACPMonitor mode: BFDmember ip: 2.2.2.2 "PE2", CONNECTEDBFD neighbor: GigabitEthernet2/9, next hop 192.168.41.2, UPmLACP state: CONNECTEDPseudo-mLACP state: CONNECTED
backbone int GigabitEthernet8/0/9: UP (IP)ICRM fast-failure detection neighbor tableIP Address Status Type Next-hop IP Interface========== ====== ==== =========== =========2.2.2.2 UP BFD 192.168.41.2 GigabitEthernet2/9Use the show lacp multi-chassis load-balance group command to display the PMLACP configuration information including redundancy group, link states and interface status.
PE2#sh lacp multi-chassis load-balance group
Interchassis Redundancy Group 100RG State: SynchronizedICCP Version: 0Backbone Uplink Status: ConnectedLocal Configuration:Node-id: 2Peer Information:State: UpNode-id: 1ICCP Version: 0States: Active - ACT Standby - SBYDown - DN AdminDown - ADNUnknown - UN Reverting - REVP-mLACP InterfacesInterface Port State Local VLAN State Peer VLAN StateID Local Primary/Secondary Primary/Secondary10 ADN ADN/ADN DN/DN34 UP ACT/SBY ACT/SBYTroubleshooting Tips
Table 4-25 Troubleshooting
Tips
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
The L2TPv3 feature employs L2TPv3 and pseudowire (PW) technology to provide tunneling service to Ethernet traffic. The feature is developed for SUP720-3B/3BXL and RSP720 routers, which function as Provider Edge (PE) routers in the network topologies recommended by RFC3985 Pseudowire Emulation Edge-to-Edge (PWE3) architecture. L2TPv3 also supports inter-operability between the Cisco 7600 router and any standard compliant Cisco or non-Cisco device.
A L2TPv3 tunnel is a control connection between two PE routers. One L2TPv3 tunnel can have multiple data connections, and each data connection is termed as an L2TPv3 session. The control connection is used to establish, maintain, and release sessions. Each session is identified by a session ID which is unique across the entire router.
Figure 4-8 Network Topology for L2TPv3
In Figure 4-8, the attachment Virtual Circuit (VC) represents a physical or a logical port that connects a Customer Edge (CE) device to a Provider Edge (PE) device. A pseudowire is defined as a VC connecting two attachment VCs, and it consists of two L2TPv3 tunnel paths, one in each direction.
Restrictions for L2TPv3
Following restrictions apply to L2TPv3:
•
•
•
•
•
•
•
•
•
Configuring L2TPv3
Before configuring L2TPv3, ensure the following:
•
•
Complete the following steps to configure L2TPv3:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPS
Configuration Examples
This example shows how to configure L2TPv3:
Router# enableRouter# configure terminalRouter (config)#l2tp-class H-NAMERouter (config-l2tp-class)#exitRouter (config)#interface Loopback8000Router (config-if)#ip address 200.1.1.1 255.255.255.0Router (config-if)#mls l2tpv3 reserve interface Gig3/1 Gig3/10Router (config-if)#exitRouter (config)#pseudowire-class eth8000Router (config-pw-class)#encapsulation l2tpv3Router (config-pw-class)#protocol l2tpv3 H-NAMERouter (config-pw-class)#ip local interface Loopback8000Router (config-pw-class)#exitRouter (config)#interface GigabitEthernet3/4.100Router (config-subif)#encapsulation dot1Q 100Router (config-subif)#xconnect 100.1.1.1 80 encap l2tpv3 pw-class eth8000Router (config-subif-xconn)#exitRouter (config-subif)#exitRouter (config)#exitVerification
Use the following commands to verify the L2TPv3 configuration:
Router #show l2tp tunnelL2TP Tunnel Information Total tunnels 2 sessions 2LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/Count VPDN Group2101541749 1606300868 7600-3_BR est 100.1.1.1 1 H-NAME2974027542 2468589365 7600-3_BR est 100.1.2.1 1 H-NAMERouter #show l2tp tunnel allL2TP Tunnel Information Total tunnels 2 sessions 2Tunnel id 2101541749 is up, remote id is 1606300868, 1 active sessionsLocally initiated tunnelTunnel state is established, time since change 03:37:28Tunnel transport is IP (115)Remote tunnel name is 7600-3_BRInternet Address 100.1.1.1, port 0Local tunnel name is 7600-2-CEInternet Address 200.1.1.1, port 0L2TP class for tunnel is H-NAMECounters, taking last clear into account:0 packets sent, 0 received0 bytes sent, 0 receivedLast clearing of counters neverCounters, ignoring last clear:0 packets sent, 0 received0 bytes sent, 0 receivedControl Ns 33, Nr 90Local RWS 1024 (default), Remote RWS 1024Control channel Congestion Control is disabledTunnel PMTU checking enabledRetransmission time 1, max 1 secondsUnsent queuesize 0, max 0Resend queuesize 0, max 2Total resends 0, ZLB ACKs sent 89Total out-of-order dropped pkts 0Total out-of-order reorder pkts 0Total peer authentication failures 0Current no session pak queue check 0 of 5Retransmit time distribution: 0 0 0 0 0 0 0 0 0Control message authentication is disabledTunnel id 2974027542 is up, remote id is 2468589365, 1 active sessionsLocally initiated tunnelTunnel state is established, time since change 03:37:36Tunnel transport is IP (115)Remote tunnel name is 7600-3_BRInternet Address 100.1.2.1, port 0Local tunnel name is 7600-2-CEInternet Address 200.1.2.1, port 0L2TP class for tunnel is H-NAMECounters, taking last clear into account:0 packets sent, 0 received0 bytes sent, 0 receivedLast clearing of counters neverCounters, ignoring last clear:0 packets sent, 0 received0 bytes sent, 0 receivedControl Ns 35, Nr 92Local RWS 1024 (default), Remote RWS 1024Control channel Congestion Control is disabledTunnel PMTU checking enabledRetransmission time 1, max 1 secondsUnsent queuesize 0, max 0Resend queuesize 0, max 2Total resends 0, ZLB ACKs sent 91Total out-of-order dropped pkts 0Total out-of-order reorder pkts 0Total peer authentication failures 0Current no session pak queue check 0 of 5Retransmit time distribution: 0 0 0 0 0 0 0 0 0Control message authentication is disabledTroubleshooting Tips
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Reverse L2GP for Cisco 7600
Layer 2 Gateway Ports (L2GP) is a proposed IEEE standard (802.1ah) to address the issues that arise when two independent bridged domains are connected redundantly through an arbitrary number of links. Layer 2 Gateway Ports define how the forwarding gateways are selected so that only redundant ports are blocked and there are no temporary loops. The transitions can be at least as fast as STP L2GP resolves the transient loop problem during the re-convergence as it does not require cooperation from the outside domain.
Reverse L2GP (R-L2GP) is a variation of L2GP. In case of R-L2GP, the pseudo information of the R-L2GP is transmitted by nPEs, instead of uPEs. R-L2GP provides a mechanism to send out static preconfigured BPDUs on each ring access port of nPEs to stimulate a per-access ring instantiation of the protocol. In order for this to work, the pair of nPEs are programmed to send out BPDUs on the access ring ports in such a way that they appear to be either:
•
•
Using R-L2GP, you can statically configure the BPDUs instead of dynamic configuration.
For more information, see Configuring STP and MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html#wp1101874.Restrictions and Usage Guidelines
When configuring Reverse L2GP for the Cisco 7600 router, follow these guidelines and restrictions:
•
•
•
–
–
–
•
•
•
•
•
•
•
•
Configuring Reverse L2GP for 7600
To enable R-L2GP on a port, you need to:
•
•
•
•
Configuration of MST must be done before configuring RL2GP and attaching it to a port. For MST configuration, you need to configure:
•
•
•
•
•
•
Since the R-L2GP configuration is bundled with the MSTI configuration, the above parameters can be recycled from the MSTI and MST region (currently only one MST region is supported on IOS) configurations. This section describes how to configure Reverse L2GP for 7600. It consists of the following sections:
•
•
•
Configuring MST
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring the RL2GP Instance
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Attaching the RL2GP Instance to a Port
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuring the VPLS Pseudo Wire
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
This is a sample configuration for switch port:
----- PE1 configuration -----Step 1:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#spanning-tree mode mstPE1(config)#spanning-tree extend system-idPE1(config)#spanning-tree pseudo-information transmit 2PE1(config-pseudo)# remote-id 1PE1(config-pseudo)# mst 0 root 32768 0000.0000.0001%Warning: Please make same configuration change on mst instance 0 forremote Pseudo Info instance also. Difference in mst instance 0 configon Pseudo Info pair can cause network instabilityPE1(config-pseudo)# mst 1 root 32768 0000.0000.0002PE1(config-pseudo)# mst 1 cost 100PE1(config-pseudo)#exitPE1(config)#spanning-tree mst configurationPE1(config-mst)#instance 1 vlan 100-200, 400-500Step 2:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#interface TenGigabitEthernet4/1PE1(config-if)# switchportPE1(config-if)# switchport mode trunkPE1(config-if)# spanning-tree pseudo-information transmit 2PE1(config-if)#endPE1#Step 3:PE1(config)#l2 vfi bpdupw manualPE1(config-vfi)#vpn id 100PE1(config-vfi)#forward permit l2protocol allPE1(config-vfi)#neighbor 22.22.22.22 encapsulation mplsPE1(config-vfi-neighbor)#Step 4:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#interface Vlan1PE1(config-if)#no ip addressPE1(config-if)#xconnect vfi bpdupwPE1(config-if)#endPE1#Use the show commands to check the configuration:
PE1#show running-config int te4/1Building configuration...Current configuration : 119 bytes!interface TenGigabitEthernet4/1switchportswitchport mode trunkspanning-tree pseudo-information transmit 2endPE1#show spanning-tree mst##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0013.5f21.e240 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Te4/1 Desg FWD 2000 128.769 P2p R-L2GPPW 22.22.22.22:100 Desg FWD 200 128.1020 P2p R-L2GP##### MST1 vlans mapped: 100-200,400-500Bridge address 0013.5f21.e240 priority 32769 (32768 sysid 1)Root this switch for MST1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Te4/1 Desg FWD 2000 128.769 P2p R-L2GPPW 22.22.22.22:100 Desg FWD 200 128.1020 P2p R-L2GPPE1#show spanning-tree pseudo-informationPseudo id 2, type transmit:remote_id 1mst_region_id 0, port_count 1, update_flag 0x0mrecord 0x1DF3627C, mrec_count 2:msti 0: root_id 32768.0000.0000.0001, root_cost 0, update_flag 0x0msti 1: root_id 32769.0000.0000.0002, root_cost 100, update_flag 0x0Pseudo interfaces:TenGigabitEthernet4/1PE1#show spanning-tree mst detail##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0013.5f21.e240 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20TenGigabitEthernet4/1 of MST0 is designated forwardingPort info port id 128.769 priority 128 cost 2000Designated root address 0013.5f21.e240 priority 32768 cost 0Design. regional root address 0013.5f21.e240 priority 32768 cost 0Designated bridge address 0013.5f21.e240 priority 32768 port id 128.769Pseudo-info (id 2) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 500, received 0PW 22.22.22.22:100 of MST0 is designated forwardingPort info port id 128.1020 priority 128 cost 200Designated root address 0013.5f21.e240 priority 32768 cost 0Design. regional root address 0013.5f21.e240 priority 32768 cost 0Designated bridge address 0013.5f21.e240 priority 32768 port id 128.1020Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 396, received 14##### MST1 vlans mapped: 100-200,400-500Bridge address 0013.5f21.e240 priority 32769 (32768 sysid 1)Root this switch for MST1TenGigabitEthernet4/1 of MST1 is designated forwardingPort info port id 128.769 priority 128 cost 2000Designated root address 0013.5f21.e240 priority 32769 cost 0Designated bridge address 0013.5f21.e240 priority 32769 port id 128.769Pseudo-info (id 2) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 501, received 0PW 22.22.22.22:100 of MST1 is designated forwardingPort info port id 128.1020 priority 128 cost 200Designated root address 0013.5f21.e240 priority 32769 cost 0Designated bridge address 0013.5f21.e240 priority 32769 port id 128.1020Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 396, received 13PE1#show mpls l2transport vc detailLocal interface: VFI bpdupw VFI upInterworking type is EthernetDestination address: 22.22.22.22, VC ID: 100, VC status: upOutput interface: Te4/2, imposed label stack {17}Preferred path: not configuredDefault path: activeNext hop: 12.0.0.2Create time: 00:15:59, last status change time: 00:15:35Signaling protocol: LDP, peer 22.22.22.22:0 upTargeted Hello: 11.11.11.11(LDP Id) -> 22.22.22.22, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast BFD dataplane status rcvd: Not sentLast BFD peer monitor status rcvd: No faultLast local AC circuit status rcvd: No faultLast local AC circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 21, remote 17PWID: 16424Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:MAC Withdraw: sent:1, received:3Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)SSO Descriptor: 22.22.22.22/100, local label: 21SSM segment/switch IDs: 20523/4135 (used), PWID: 16424VC statistics:transit packet totals: receive 29, send 390transit byte totals: receive 4423, send 55770transit packet drops: receive 0, seq error 0, send 0PE1#show vfi name bpdupwLegend: RT=Route-target, S=Split-horizon, Y=Yes, N=NoVFI name: bpdupw, state: up, type: multipoint signaling: LDPVPN ID: 100Forwarding BPDUs onlyBridge-Domain 1 attachment circuits:Vlan1Neighbors connected via pseudowires:Peer Address VC ID S22.22.22.22 100 Y----- PE2 configuration -----Step 1:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#spanning-tree mode mstPE2(config)#spanning-tree extend system-idPE2(config)#spanning-tree pseudo-information transmit 1PE2(config-pseudo)# remote-id 2PE2(config-pseudo)# mst 0 root 32768 0000.0000.0001%Warning: Please make same configuration change on mst instance 0 forremote Pseudo Info instance also. Difference in mst instance 0 configon Pseudo Info pair can cause network instabilityPE2(config-pseudo)# mst 1 root 32768 0000.0000.0002PE2(config-pseudo)# mst 1 cost 100PE2(config-pseudo)# exitPE2(config)#spanning-tree mst configurationPE2(config-mst)# instance 1 vlan 100-200, 400-500PE2(config-mst)#endPE2#Step 2:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#interface GigabitEthernet13/7PE2(config-if)#switchportPE2(config-if)#switchport mode trunkPE2(config-if)#spanning-tree pseudo-information transmit 1PE2(config-if)#endPE2#Step 3:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#l2 vfi bpdupw manualPE2(config-vfi)#vpn id 100PE2(config-vfi)#forward permit l2protocol allPE2(config-vfi)#neighbor 11.11.11.11 encapsulation mplsPE2(config-vfi)#endPE2#Step 4:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#interface Vlan1PE2(config-if)#no ip addressPE2(config-if)#xconnect vfi bpdupwPE2(config-if)#endPE2#Use the show commands to check the configuration:PE2#show running-config int gig 13/7Building configuration...Current configuration : 117 bytes!interface GigabitEthernet13/7switchportswitchport mode trunkspanning-tree pseudo-information transmit 1endPE2#show spanning-tree mst##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0015.c7f9.cc40 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------PW 11.11.11.11:100 Desg FWD 200 128.3070 P2p R-L2GPGi13/7 Desg FWD 20000 128.3079 P2p R-L2GP##### MST1 vlans mapped: 100-200,400-500Bridge address 0015.c7f9.cc40 priority 32769 (32768 sysid 1)Root this switch for MST1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------PW 11.11.11.11:100 Desg FWD 200 128.3070 P2p R-L2GPGi13/7 Desg FWD 20000 128.3079 P2p R-L2GPPE2#show spanning-tree pseudo-informationPseudo id 1, type transmit:remote_id 2mst_region_id 0, port_count 1, update_flag 0x0mrecord 0x542B57F4, mrec_count 2:msti 0: root_id 32768.0000.0000.0001, root_cost 0, update_flag 0x0msti 1: root_id 32769.0000.0000.0002, root_cost 100, update_flag 0x0Pseudo interfaces:GigabitEthernet13/7PE2#show spanning-tree mst detail##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0015.c7f9.cc40 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20PW 11.11.11.11:100 of MST0 is designated forwardingPort info port id 128.3070 priority 128 cost 200Designated root address 0015.c7f9.cc40 priority 32768 cost 0Design. regional root address 0015.c7f9.cc40 priority 32768 cost 0Designated bridge address 0015.c7f9.cc40 priority 32768 port id 128.3070Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 16, received 385GigabitEthernet13/7 of MST0 is designated forwardingPort info port id 128.3079 priority 128 cost 20000Designated root address 0015.c7f9.cc40 priority 32768 cost 0Design. regional root address 0015.c7f9.cc40 priority 32768 cost 0Designated bridge address 0015.c7f9.cc40 priority 32768 port id 128.3079Pseudo-info (id 1) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 163, received 0##### MST1 vlans mapped: 100-200,400-500Bridge address 0015.c7f9.cc40 priority 32769 (32768 sysid 1)Root this switch for MST1PW 11.11.11.11:100 of MST1 is designated forwardingPort info port id 128.3070 priority 128 cost 200Designated root address 0015.c7f9.cc40 priority 32769 cost 0Designated bridge address 0015.c7f9.cc40 priority 32769 port id 128.3070Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 16, received 354GigabitEthernet13/7 of MST1 is designated forwardingPort info port id 128.3079 priority 128 cost 20000Designated root address 0015.c7f9.cc40 priority 32769 cost 0Designated bridge address 0015.c7f9.cc40 priority 32769 port id 128.3079Pseudo-info (id 1) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 164, received 0PE2#show mpls l2transport vc detailLocal interface: VFI bpdupw VFI upInterworking type is EthernetDestination address: 11.11.11.11, VC ID: 100, VC status: upOutput interface: Te12/2, imposed label stack {21}Preferred path: not configuredDefault path: activeNext hop: 12.0.0.1Create time: 00:09:39, last status change time: 00:09:04Signaling protocol: LDP, peer 11.11.11.11:0 upTargeted Hello: 22.22.22.22(LDP Id) -> 11.11.11.11, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast BFD dataplane status rcvd: Not sentLast local SSS circuit status rcvd: No faultLast local SSS circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 17, remote 21PWID: 8250Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:MAC Withdraw: sent:1, received:1Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)SSO Descriptor: 11.11.11.11/100, local label: 17SSM segment/switch IDs: 16444/4153 (used), PWID: 8250VC statistics:transit packet totals: receive 289, send 15transit byte totals: receive 41327, send 2091transit packet drops: receive 0, seq error 0, send 0PE2#show vfi name bpdupwLegend: RT=Route-target, S=Split-horizon, Y=Yes, N=NoVFI name: bpdupw, state: up, type: multipoint signaling: LDPVPN ID: 100Forwarding BPDUs onlyBridge-Domain 1 attachment circuits:Vlan1Neighbors connected via pseudowires:Peer Address VC ID S11.11.11.11 100 YThis is a sample configuration for EVC-BD:
----- PE1 configuration -----
Step 1:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#spanning-tree mode mstPE1(config)#spanning-tree extend system-idPE1(config)#spanning-tree pseudo-information transmit 2PE1(config-pseudo)#remote-id 1PE1(config-pseudo)# mst 0 root 32768 0000.0000.0001%Warning: Please make same configuration change on mst instance 0 forremote Pseudo Info instance also. Difference in mst instance 0 configon Pseudo Info pair can cause network instabilityPE1(config-pseudo)# mst 1 root 32768 0000.0000.0002PE1(config-pseudo)# mst 1 cost 100PE1(config-pseudo)# exitPE1(config)#spanning-tree mst configurationPE1(config-mst)# instance 1 vlan 100-200, 400-500Step 2:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#interface TenGigabitEthernet4/1PE1(config-if)# spanning-tree pseudo-information transmit 2PE1(config-if)# service instance 2 ethernetPE1(config-if-srv)# encapsulation dot1q 2PE1(config-if-srv)# rewrite ingress tag pop 1 symmetricPE1(config-if-srv)# bridge-domain 100PE1(config-if-srv)# service instance 499 ethernetPE1(config-if-srv)# encapsulation dot1q 499PE1(config-if-srv)# rewrite ingress tag pop 1 symmetricPE1(config-if-srv)# bridge-domain 402PE1(config-if-srv)#endPE1#Step 3:PE1(config)#l2 vfi bpdupw manualPE1(config-vfi)#vpn id 100PE1(config-vfi)#forward permit l2protocol allPE1(config-vfi)# neighbor 22.22.22.22 encapsulation mplsPE1(config-vfi-neighbor)#Step 4:PE1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE1(config)#interface Vlan1PE1(config-if)# no ip addressPE1(config-if)# xconnect vfi bpdupwPE1(config-if)#endPE1#Use the show commands to check the configuration:PE1#show running-config int te4/1Building configuration...Current configuration : 361 bytes!interface TenGigabitEthernet4/1ip arp inspection limit noneno ip addressspanning-tree pseudo-information transmit 2service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricbridge-domain 100!service instance 499 ethernetencapsulation dot1q 499rewrite ingress tag pop 1 symmetricbridge-domain 402!endPE1#show spanning-tree mst##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0013.5f21.e240 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Te4/1 Desg FWD 2000 128.769 P2p R-L2GPPW 22.22.22.22:100 Desg FWD 200 128.1022 P2p R-L2GP##### MST1 vlans mapped: 100-200,400-500Bridge address 0013.5f21.e240 priority 32769 (32768 sysid 1)Root this switch for MST1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Te4/1 Desg FWD 2000 128.769 P2p R-L2GPPW 22.22.22.22:100 Desg FWD 200 128.1022 P2p R-L2GPPE1#show spanning-tree pseudo-informationPseudo id 2, type transmit:remote_id 1mst_region_id 0, port_count 1, update_flag 0x0mrecord 0x1DF3627C, mrec_count 2:msti 0: root_id 32768.0000.0000.0001, root_cost 0, update_flag 0x0msti 1: root_id 32769.0000.0000.0002, root_cost 100, update_flag 0x0Pseudo interfaces:TenGigabitEthernet4/1PE1#show spanning-tree mst configurationName []Revision 0 Instances configured 2Instance Vlans mapped-------- ---------------------------------------------------------------------0 1-99,201-399,501-40941 100-200,400-500-------------------------------------------------------------------------------PE1#PE1#show spanning-tree mst detail##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0013.5f21.e240 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20TenGigabitEthernet4/1 of MST0 is designated forwardingPort info port id 128.769 priority 128 cost 2000Designated root address 0013.5f21.e240 priority 32768 cost 0Design. regional root address 0013.5f21.e240 priority 32768 cost 0Designated bridge address 0013.5f21.e240 priority 32768 port id 128.769Pseudo-info (id 2) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 770, received 0PW 22.22.22.22:100 of MST0 is designated forwardingPort info port id 128.1022 priority 128 cost 200Designated root address 0013.5f21.e240 priority 32768 cost 0Design. regional root address 0013.5f21.e240 priority 32768 cost 0Designated bridge address 0013.5f21.e240 priority 32768 port id 128.1022Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 0, received 0##### MST1 vlans mapped: 100-200,400-500Bridge address 0013.5f21.e240 priority 32769 (32768 sysid 1)Root this switch for MST1TenGigabitEthernet4/1 of MST1 is designated forwardingPort info port id 128.769 priority 128 cost 2000Designated root address 0013.5f21.e240 priority 32769 cost 0Designated bridge address 0013.5f21.e240 priority 32769 port id 128.769Pseudo-info (id 2) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 770, received 0PW 22.22.22.22:100 of MST1 is designated forwardingPort info port id 128.1022 priority 128 cost 200Designated root address 0013.5f21.e240 priority 32769 cost 0Designated bridge address 0013.5f21.e240 priority 32769 port id 128.1022Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 0, received 0PE1#show mpls l2transport vc detailLocal interface: VFI bpdupw VFI upInterworking type is EthernetDestination address: 22.22.22.22, VC ID: 100, VC status: upOutput interface: Te4/2, imposed label stack {17}Preferred path: not configuredDefault path: activeNext hop: 12.0.0.2Create time: 00:23:57, last status change time: 00:23:24Signaling protocol: LDP, peer 22.22.22.22:0 upTargeted Hello: 11.11.11.11(LDP Id) -> 22.22.22.22, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast BFD dataplane status rcvd: Not sentLast BFD peer monitor status rcvd: No faultLast local AC circuit status rcvd: No faultLast local AC circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 22, remote 17PWID: 20498Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:MAC Withdraw: sent:3, received:4Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)SSO Descriptor: 22.22.22.22/100, local label: 22SSM segment/switch IDs: 16405/12305 (used), PWID: 20498VC statistics:transit packet totals: receive 0, send 129268726transit byte totals: receive 0, send 4504820856transit packet drops: receive 0, seq error 0, send 0PE1#show vfi name bpdupwLegend: RT=Route-target, S=Split-horizon, Y=Yes, N=NoVFI name: bpdupw, state: up, type: multipoint signaling: LDPVPN ID: 100Forwarding BPDUs onlyBridge-Domain 1 attachment circuits:Vlan1Neighbors connected via pseudowires:Peer Address VC ID S22.22.22.22 100 Y----- PE2 configuration -----Step 1:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#spanning-tree mode mstPE2(config)#spanning-tree extend system-idPE2(config)#spanning-tree pseudo-information transmit 1PE2(config-pseudo)# remote-id 2PE2(config-pseudo)# mst 0 root 32768 0000.0000.0001%Warning: Please make same configuration change on mst instance 0 forremote Pseudo Info instance also. Difference in mst instance 0 configon Pseudo Info pair can cause network instabilityPE2(config-pseudo)# mst 1 root 32768 0000.0000.0002PE2(config-pseudo)# mst 1 cost 100PE2(config-pseudo)# exitPE2(config)#spanning-tree mst configurationPE2(config-mst)# instance 1 vlan 100-200, 400-500PE2(config-mst)#endPE2#Step 2:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#interface GigabitEthernet13/7PE2(config-if)# ip arp inspection limit nonePE2(config-if)# no ip addressPE2(config-if)# spanning-tree pseudo-information transmit 1PE2(config-if)# service instance 2 ethernetPE2(config-if-srv)# encapsulation dot1q 2PE2(config-if-srv)# rewrite ingress tag pop 1 symmetricPE2(config-if-srv)# bridge-domain 100PE2(config-if-srv)# service instance 499 ethernetPE2(config-if-srv)# encapsulation dot1q 499PE2(config-if-srv)# rewrite ingress tag pop 1 symmetricPE2(config-if-srv)# bridge-domain 402PE2(config-if-srv)#endPE2#Step 3:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#l2 vfi bpdupw manualPE2(config-vfi)# vpn id 100PE2(config-vfi)# forward permit l2protocol allPE2(config-vfi)# neighbor 11.11.11.11 encapsulation mplsPE2(config-vfi)#endPE2#Step 4:PE2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.PE2(config)#interface Vlan1PE2(config-if)# no ip addressPE2(config-if)# xconnect vfi bpdupwPE2(config-if)#endPE2#Use the show commands to check the configuration:PE2#show running-config int gig 13/7Building configuration...Current configuration : 359 bytes!interface GigabitEthernet13/7ip arp inspection limit noneno ip addressspanning-tree pseudo-information transmit 1service instance 2 ethernetencapsulation dot1q 2rewrite ingress tag pop 1 symmetricbridge-domain 100!service instance 499 ethernetencapsulation dot1q 499rewrite ingress tag pop 1 symmetricbridge-domain 402!endPE2#show spanning-tree mst##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0015.c7f9.cc40 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------PW 11.11.11.11:100 Desg FWD 200 128.3070 P2p R-L2GPGi13/7 Desg FWD 20000 128.3079 P2p R-L2GP##### MST1 vlans mapped: 100-200,400-500Bridge address 0015.c7f9.cc40 priority 32769 (32768 sysid 1)Root this switch for MST1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------PW 11.11.11.11:100 Desg FWD 200 128.3070 P2p R-L2GPGi13/7 Desg FWD 20000 128.3079 P2p R-L2GPPE2#show spanning-tree pseudo-informationPseudo id 1, type transmit:remote_id 2mst_region_id 0, port_count 1, update_flag 0x0mrecord 0x542B57F4, mrec_count 2:msti 0: root_id 32768.0000.0000.0001, root_cost 0, update_flag 0x0msti 1: root_id 32769.0000.0000.0002, root_cost 100, update_flag 0x0Pseudo interfaces:GigabitEthernet13/7PE2#show spanning-tree mst configurationName []Revision 0 Instances configured 2Instance Vlans mapped-------- ---------------------------------------------------------------------0 1-99,201-399,501-40941 100-200,400-500-------------------------------------------------------------------------------PE2#PE2#show spanning-tree mst detail##### MST0 vlans mapped: 1-99,201-399,501-4094Bridge address 0015.c7f9.cc40 priority 32768 (32768 sysid 0)Root this switch for the CISTOperational hello time 2 , forward delay 15, max age 20, txholdcount 6Configured hello time 2 , forward delay 15, max age 20, max hops 20PW 11.11.11.11:100 of MST0 is designated forwardingPort info port id 128.3070 priority 128 cost 200Designated root address 0015.c7f9.cc40 priority 32768 cost 0Design. regional root address 0015.c7f9.cc40 priority 32768 cost 0Designated bridge address 0015.c7f9.cc40 priority 32768 port id 128.3070Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 0, received 0GigabitEthernet13/7 of MST0 is designated forwardingPort info port id 128.3079 priority 128 cost 20000Designated root address 0015.c7f9.cc40 priority 32768 cost 0Design. regional root address 0015.c7f9.cc40 priority 32768 cost 0Designated bridge address 0015.c7f9.cc40 priority 32768 port id 128.3079Pseudo-info (id 1) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus sent 1301, received 0##### MST1 vlans mapped: 100-200,400-500Bridge address 0015.c7f9.cc40 priority 32769 (32768 sysid 1)Root this switch for MST1PW 11.11.11.11:100 of MST1 is designated forwardingPort info port id 128.3070 priority 128 cost 200Designated root address 0015.c7f9.cc40 priority 32769 cost 0Designated bridge address 0015.c7f9.cc40 priority 32769 port id 128.3070Pseudo-info (id 255) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 0, received 0GigabitEthernet13/7 of MST1 is designated forwardingPort info port id 128.3079 priority 128 cost 20000Designated root address 0015.c7f9.cc40 priority 32769 cost 0Designated bridge address 0015.c7f9.cc40 priority 32769 port id 128.3079Pseudo-info (id 1) is runningTimers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 1303, received 0PE2#show mpls l2transport vc detailLocal interface: VFI bpdupw VFI upInterworking type is EthernetDestination address: 11.11.11.11, VC ID: 100, VC status: upOutput interface: Te12/2, imposed label stack {17}Preferred path: not configuredDefault path: activeNext hop: 12.0.0.1Create time: 00:10:32, last status change time: 00:09:56Signaling protocol: LDP, peer 11.11.11.11:0 upTargeted Hello: 22.22.22.22(LDP Id) -> 11.11.11.11, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast BFD dataplane status rcvd: Not sentLast local SSS circuit status rcvd: No faultLast local SSS circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 19, remote 17PWID: 4144Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:MAC Withdraw: sent:1, received:1Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)SSO Descriptor: 11.11.11.11/100, local label: 19SSM segment/switch IDs: 16433/4138 (used), PWID: 4144VC statistics:transit packet totals: receive 0, send 0transit byte totals: receive 0, send 0transit packet drops: receive 0, seq error 0, send 0PE2#show vfi name bpdupwLegend: RT=Route-target, S=Split-horizon, Y=Yes, N=NoVFI name: bpdupw, state: up, type: multipoint signaling: LDPVPN ID: 100Forwarding BPDUs onlyBridge-Domain 1 attachment circuits:Vlan1Neighbors connected via pseudowires:Peer Address VC ID S11.11.11.11 100 YTroubleshooting
Table 4-26 provides troubleshooting solutions for the Reverse L2GP feature.
Table 4-26 Troubleshooting Reverse L2GP feature
Configuring Static MAC Binding to EVCs and Psuedowires
Static MAC on Ethernet Flow Point (EFP) and Pseudowire (PW) provides the functionality to configure static unicast or multicast MAC address on EFP and PW. A MAC address can be statically added on an EFP under port channel. This feature provides the functionality to:
•
•
•
•
•
•
•
•
Restrictions and Usage Guidelines
When configuring static MAC on EFP and PW for the Cisco 7600 routers, follow these guidelines and restrictions:
•
•
•
•
•
•
•
•
•
•
•
The next section describes how to configure Static MAC on EFP and PW for the Cisco 7600 router. You need to configure MPLS on core-facing router before configuring static MAC on PW. The information about configuring MPLS on core-facing router is included as a separate section.
•
•
•
Configuring Static MAC over EFP for the Cisco 7600 Router
This section describes how to configure static MAC over EFP or SIs.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example shows how to configure static MAC over EFP or SIs:
Router# enableRouter# configure terminalRouter(config-if)# service instance 10 ethernetRouter(config-srv)# encapsulation dot1q 20Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac static address 0002.1122.0010Router(config-if-srv)# mac static address 0100.5e00.1111 disable-snoopingRouter(config-if-srv)# mac static address 0002.1122.0011 auto-learnRouter(config-if-srv)# mac static address 0100.5e00.1112Router(config-if-srv)# mac static address 0002.1122.0012 auto-learnRouter(config-if-srv)# mac static address 0100.5e00.1113 disable-snoopingRouter(config-if-srv)# exitConfiguring MPLS on Core-Facing Interface
You need to configure MPLS on the core-facing router before configuring static MAC over pseudowire. This section describes how to configure MPLS on the core-facing router interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Configuring Static MAC over Pseudowire for the Cisco 7600 Router
This section describes how to configure static MAC over pseudowire.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Examples
This example shows how to configure static MAC over pseudowire.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 4/1/0Router(config)# l2 vfi foo-core manualRouter(config-vfi)# vpn id 100Router(config-vfi)# bridge-domain 10 vlanRouter(config-vfi)# neighbor 11.0.0.1 encapsulation mplsRouter(config-vfi-neighbor)# mac static address 0002.1122.0010 auto-learnRouter(config-vfi-neighbor)# mac static address 0100.5e00.1111Router(config-vfi-neighbor)# mac static address 0002.1122.0011Router(config-vfi-neighbor)# mac static address 0100.5e00.1112 disable-snoopingRouter(config-vfi-neighbor)# mac static address 0002.1122.0012 auto-learnRouter(config-vfi-neighbor)# mac static address 0100.5e00.1113 disable-snoopingRouter(config-vfi-neighbor)# interface vlan 10Router(config-if)# xconnect vfi foo-coreRouter(config-vfi)# exitRouter(config)# exitVerification
Use the following commands to verify a configuration:
•
Bridge-Domain ID : 10Static MAC count : System : 8, bridge-domain : 8Port Address Actionvfi foo-core neighbor 1.1.1.1 100 0000.0200.1112vfi foo-core neighbor 1.1.1.1 100 0000.1111.1001 auto-learnvfi foo-core neighbor 1.1.1.1 100 0100.5e11.1002vfi foo-core neighbor 1.1.1.1 100 0100.5e11.1003 disable-snoopingGi2/0/0 ServInst 2 0000.1111.1003Gi2/0/0 ServInst 2 0000.1111.1004 auto-learnPo500 ServInst 1 0000.0000.0777Po500 ServInst 1 0100.5e00.1111 disable-snooping•
Router#Router# show ethernet service instance id 1 interface Gi 2/0/0 mac static addressBridge domain ID : 10Port static MAC count : 2Port Address ActionGi2/0/0 ServInst 1 0000.1111.1001Gi2/0/0 ServInst 1 0000.1111.1002 auto-learn•
Router#show vfi neighbor 1.1.1.1 vcid 100 mac static addressBridge domain ID : 10Port Address Actionvfi foo-core neighbor 1.1.1.1 100 0000.0200.1112vfi foo-core neighbor 1.1.1.1 100 0000.1111.1001vfi foo-core neighbor 1.1.1.1 100 0000.1111.1002 auto-learnvfi foo-core neighbor 1.1.1.1 100 0100.5e11.1002Troubleshooting
Table 4-27 provides the troubleshooting solutions for the REP over EVC feature
Table 4-27
Troubleshooting REP over EVC feature
Configuring Resilient Ethernet Protocol
Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to support L2 resiliency and fast failover with Ethernet networks. REP provides functionality to:
•
•
•
An REP segment is a connected chain of ports configured with a segment ID. Each segment consists of standard (non-edge) segment ports and two user-configured edge ports. REP is supported on Layer 2 trunk interfaces and EVC ports. REP controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment. REP provides a basis for constructing more complex networks and supports VLAN load balancing. REP extends the network resiliency across Cisco IP Next-Generation Network (NGN) Carrier Ethernet Design. REP is designed to provide network and application convergence within 50 to 200 ms. REP is a segment protocol that integrates easily into existing Carrier Ethernet networks. It allows network architects to limit the scope of STP domains. REP can also notify the STP about potential topology changes, allowing interoperability with Spanning Tree.
REP is a distributed and secure protocol and does not rely on a master node controlling the status of the ring. Hence, the failures can be detected locally either through loss of signal (LOS) or loss of neighbor adjacency. Any REP port can initiate a switchover after acquiring the secure key to unblock the alternate port. An REP segment is a chain of ports connected to each other and configured with the same segment ID. Each end of a segment terminates on an edge switch. The port where the segment terminates is called the edge port.
REP Edge No-Neighbor
Effective from Cisco IOS release 15.1.(01)S, a new functionality provides capability to configure the non-rep switch facing ports as edge no-neighbor ports. These ports inherit the properties of edge ports, and overcome the limitation of not being able to converge quickly during a failure.
Figure 4-9 Edge No-Neighbor Ports
In access ring topologies, the neighboring switch might not support REP, as shown in Figure 4-2. In this case, you can configure the non-REP facing ports (E1 and E2) as edge no-neighbor ports. These ports inherit all the properties of edge ports. You can configure these no-neighbor ports as any other edge port and also enable the ports to send STP or REP topology change notices to the aggregation switch. In this case the STP Topology Change Notice (TCN) that is sent is a Multiple Spanning-Tree (MST) STP message.
These sections describes how to configure REP on the Cisco 7600 router:
•
•
Configuring REP over Ethernet Virtual Circuit
The REP over Ethernet Virtual Circuit (EVC) allows you to configure and manage ports at service level. You cannot configure REP on per service instance. An EVC port can have multiple service instances. Each service instance corresponds to a unique Event Flow Processor (EFP). By default, REP is disabled on all ports. Using REP over EVC, you can:
•
•
The ports on a C7600 platform are classified into three different types: switchports, routed ports, and EVC ports. By default, a port is a routed port. REP is not supported on routed ports. You need to configure a port to a switchport or EVC port to configure REP on it. A port that is configured with one or more service instances is called an EVC port.
This feature allows you to configure an EVC port to participate in a REP segment. REP can selectively block or forward data traffic on particular VLANs. For EVC, the VLAN Id refers to the outer tag of the dot1q encapsulation that is configured on a service instance. REP is supported on a bridge-domain service. If ethernet vlan color-block all command is configured, REP is supported on connect and xconnect services.
For more information on REP, see the Cisco IOS and NX-OS Software Resilient Ethernet Protocol guide at http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html and http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/prod_white_paper0900aecd806ec6fa.pdf.
Restrictions and Usage Guidelines
When configuring REP over EVC for the Cisco 7600 router, follow these guidelines and restrictions:
•
•
•
•
•
•
•
•
•
–
–
–
–
•
•
•
–
–
–
–
•
•
•
•
Configuring REP over EVC for the Cisco 7600 Router
This section describes how to configure REP over EVC for the Cisco 7600 router:
•
•
•
Configuring REP over EVC using cross-connect on the Cisco 7600 Router
This section describes how to configure REP over EVC using cross-connect at global configuration level.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Examples
This example shows how to configure REP over EVC using xconnect.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 5/3Router(config-if)# rep segment 120 edgeRouter(config-if)# ether vlan color-block allRouter(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# xconnect 10.0.0.1 20 encapsulation mplsRouter(cfg-if-ether-vc-xconn)# exitRouter(config-if-srv)# exitRouter(config-if)# exitRouter(config)# exitConfiguring REP over EVC using connect for the Cisco 7600 Router
This section describes how to configure REP over EVC using connect at global configuration level.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
DETAILED STEPS
Examples
This example shows how to configure REP over EVC using connect.
Router# enableRouter# configure terminalRouter(config)# interface gigabitEthernet 2/1Router(config-if)# ether vlan color-block allRouter(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# exitRouter(config-if)# rep segment 2 edge primaryRouter(config-if)# exitRouter(config)# interface gigabitEthernet 3/1Router(config-if)# service instance 20 ethernetRouter(config-if-srv)# encapsulation dot1q 20Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# exitRouter(config-if)# rep segment 2 edgeRouter(config-if)# exitRouter(config)#connect test gigabitEthernet 2/1 10 gigabitEthernet 3/1 20Router(config-connection)#endConfiguring REP over EVC using bridge-domain for the Cisco 7600 Router
This section describes how to configure REP over EVC using bridge-domain at service instance level.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Examples
This example shows how to configure REP over EVC using bridge-domain.
Router# enableRouter# configure terminalRouter(config)# interface gigabitEthernet 4/1Router(config-if)# service instance 10 ethernetRouter(config-if-srv)# encapsulation dot1q 10Router(config-if-srv)# rewrite ingress tag pop 1 symmetricRouter(config-if-srv)# bridge-domain 100Router(config-if-srv)# exitRouter(config-if)# rep segment 2 edgeRouter(config-if)# endThis example shows how to configure REP with the edge no-neighbor keyword.Router# enableRouter# configure terminalRouter(config)# interface gigabitEthernet 7/1Router(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# rep segment 1 edge no-neighbor primaryRouter(config-if)# endVerification
You can use the show rep topology, show rep topology detail and show interface <> rep commands to verify the REP over EVC configuration. This information is displayed as sample output:
•
•
•
Example of show rep topology command:
Router#show rep topologyREP Segment 3BridgeName PortName Edge Role---------------- ---------- ---- ----Router Gi4/0/0 Pri OpenREP-ALPHA Gi2/12 OpenREP-ALPHA Fa3/1 OpenREP-BETA Fa1/1 OpenREP-BETA Gi6/1 OpenRouter Gi3/4 Sec Alt--Example of show rep topology detail command.
Router#show rep topology segment 3 detailREP Segment 3Router, Gi4/0/0 (Primary Edge)Open Port, all vlans forwardingBridge MAC: 0015.fa66.ff80Port Number: 0301Port Priority: 000Neighbor Number: 1 / [-6]REP-ALPHA, Gi2/12 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.cd00Port Number: 010CPort Priority: 000Neighbor Number: 2 / [-5]REP-ALPHA, Fa3/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.cd00Port Number: 0201Port Priority: 000Neighbor Number: 3 / [-4]REP-BETA, Fa1/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.c900Port Number: 001Port Priority: 000Neighbor Number: 4 / [-3]REP-BETA, Gi6/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.c900Port Number: 0501Port Priority: 000Neighbor Number: 5 / [-2]Router, Gi3/4 (Secondary Edge)Alternate Port, some vlans blockedBridge MAC: 0015.fa66.ff80Port Number: 0204Port Priority: 010Neighbor Number: 6 / [-1]Example of show interface <> rep command:
Router#show interface gig4/0/0 rep detailGigabitEthernet4/0/0 REP enabledSegment-id: 3 (Primary Edge)PortID: 03010015FA66FF80Preferred flag: NoOperational Link Status: TWO_WAYCurrent Key: 02040015FA66FF804050Port Role: OpenBlocked VLAN: <empty>Admin-vlan: 1Preempt Delay Timer: disabledConfigured Load-balancing Block Port: noneConfigured Load-balancing Block VLAN: noneSTCN Propagate to: noneLSL PDU rx: 999, tx: 652HFL PDU rx: 0, tx: 0BPA TLV rx: 500, tx: 4BPA (STCN, LSL) TLV rx: 0, tx: 0BPA (STCN, HFL) TLV rx: 0, tx: 0EPA-ELECTION TLV rx: 6, tx: 5EPA-COMMAND TLV rx: 0, tx: 0EPA-INFO TLV rx: 135, tx: 136Show outputs for REP with Edge No-Neighbor keyword
Example of show rep topology command with REP edge no-neighbor keyword:
Router#show rep topologyREP Segment 3BridgeName PortName Edge Role---------------- ---------- ---- ----sw8-ts8-51 Gi0/2 Pri* Opensw9-ts11-50 Gi1/0/4 Opensw9-ts11-50 Gi1/0/2 Opensw1-ts11-45 Gi0/2 Altsw1-ts11-45 Po1 Opensw8-ts8-51 Gi0/1 Sec* Open--Example of show rep topology detail command with REP edge no-neighbor keyword:
Router#show rep topoology segment 3 detailREP Segment 3Router, Gi4/0/0 (Primary Edge No-Neighbor)Open Port, all vlans forwardingBridge MAC: 0015.fa66.ff80Port Number: 0301Port Priority: 000Neighbor Number: 1 / [-6]REP-ALPHA, Gi2/12 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.cd00Port Number: 010CPort Priority: 000Neighbor Number: 2 / [-5]REP-ALPHA, Fa3/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.cd00Port Number: 0201Port Priority: 000Neighbor Number: 3 / [-4]REP-BETA, Fa1/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.c900Port Number: 001Port Priority: 000Neighbor Number: 4 / [-3]REP-BETA, Gi6/1 (Intermediate)Open Port, all vlans forwardingBridge MAC: 0005.7495.c900Port Number: 0501Port Priority: 000Neighbor Number: 5 / [-2]Router, Gi3/4 (Secondary Edge)Alternate Port, some vlans blockedBridge MAC: 0015.fa66.ff80Port Number: 0204Port Priority: 010Neighbor Number: 6 / [-1]
Example of show interface <> rep command with REP edge no-neighbor keyword:
Router#show interface gig4/0/0 rep detailGigabitEthernet4/0/0 REP enabledSegment-id: 3 (Primary Edge No-Neighbor)PortID: 03010015FA66FF80Preferred flag: NoOperational Link Status: TWO_WAYCurrent Key: 02040015FA66FF804050Port Role: OpenBlocked VLAN: <empty>Admin-vlan: 1Preempt Delay Timer: disabledConfigured Load-balancing Block Port: noneConfigured Load-balancing Block VLAN: noneSTCN Propagate to: noneLSL PDU rx: 999, tx: 652HFL PDU rx: 0, tx: 0BPA TLV rx: 500, tx: 4BPA (STCN, LSL) TLV rx: 0, tx: 0BPA (STCN, HFL) TLV rx: 0, tx: 0EPA-ELECTION TLV rx: 6, tx: 5EPA-COMMAND TLV rx: 0, tx: 0EPA-INFO TLV rx: 135, tx: 136Configuring Resilient Ethernet Protocol Configurable Timers
The REP Configurable Timer (REP Fast Hellos) feature provides a fast re-convergence in a ring topology with higher timer granularity and quicker failure detection on the remote side. The feature also supports improved convergence of REP segments having nodes with copper based SFPs, where the link detection time varies between 300 ms to 700 ms.
With the REP Link Status Layer (LSL) ageout timer configuration, the failure detection time can be configured between a range of 120 millisecond to 10,000 millisecond, in multiples of 40 ms. The result of this configuration is that, even if the copper pull takes about 700 ms to notify the remote end about the failure, the REP Configurable Timers process will detect it much earlier and takes subsequent action for the failure recovery within 200 ms.
Restrictions and Usage Guidelines
When configuring the REP Configurable Timers for the Cisco 7600 router, follow these guidelines and restrictions:
•
•
•
•
•
•
•
•
–
–
–
–
Configuring REP Configurable Timers for the Cisco 7600 Router
This section describes how to configure the LSL age out timer and the LSL number of retries on a Cisco 7600 router:
•
•
Configuring the REP Link Status Layer Retries
This section describes how to configure REP link status layer number of retries at interface configuration level.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Example
This example shows how to configure REP link status layer number of retries.
Router# enableRouter# configure terminalRouter(config)# interface gigabitethernet 2/5Router(config-if)# rep segment 2 edge primaryRouter(config-if)# rep lsl-retries 4Router(config-if)# end
Configuring the REP Link Status Layer Age Out Timer
This section describes how to configure the REP Link Status Layer Age Out Timer at interface configuration level.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Example
This example shows how to configure REP link status layer ageout timer value.
Router# enableRouter# configure terminalRouter(config)# interface GigabitEthernet 5/3Router(config-if)# rep segment 1 edge primaryRouter(config-if)# rep lsl-age-timer 2000Router(config-if)# end
Verification
Use the show interfaces <interface name> rep detail command to view the configured LSL number of retries and the LSL Age Out timer values.
7600-1#show interfaces GigabitEthernet11/1 rep detailGigabitEthernet11/1 REP enabledSegment-id: 10 (Segment)PortID: 0A010009B6D8F700Preferred flag: NoOperational Link Status: NO_NEIGHBORCurrent Key: 0A010009B6D8F700EEA1Port Role: Fail No Ext NeighborBlocked VLAN: 1-4094Admin-vlan: 1Preempt Delay Timer: disabledLSL Ageout Timer: 120 msLSL Ageout Retries: 3Configured Load-balancing Block Port: noneConfigured Load-balancing Block VLAN: noneSTCN Propagate to: noneLSL PDU rx: 0, tx: 175HFL PDU rx: 0, tx: 0BPA TLV rx: 0, tx: 0BPA (STCN, LSL) TLV rx: 0, tx: 0BPA (STCN, HFL) TLV rx: 0, tx: 0EPA-ELECTION TLV rx: 0, tx: 0EPA-COMMAND TLV rx: 0, tx: 0EPA-INFO TLV rx: 0, tx: 0Troubleshooting the REP
Table 4-28 lists the debug commands to troubleshoot the REP issues.
Table 4-28 Debug commands
and their purpose
Troubleshooting scenarios
Table 4-29 lists the potential problems and solutions associated with configuring REP:
Table 4-29 Troubleshooting REP
Issues
IEEE 802.1ag-2007 Compliant CFM
A Metro Ethernet network consists of networks from multiple operators supported by one service provider and connects multiple customer sites to form a virtual private network (VPN). Networks provided and managed by multiple independent service providers have restricted access to each other's equipment. Because of the diversity in these multiple-operator networks, failures must be isolated quickly. As a Layer 2 network, Ethernet must be capable of reporting network faults at Layer 2.
IEEE 802.3ah is a point-to-point and per- physical- wire OAM protocol that detects and isolates connectivity failures in the network. IEEE 802.1ag draft 8.1 Metro Ethernet Connectivity Fault Management (CFM) incorporates several OAM facilities that allow you to manage Metro Ethernet networks, including an Ethernet continuity check, end-to-end Ethernet traceroute facility using Linktrace message (LTM), Linktrace reply (LTR), Ethernet ping facility using Loopback Message (LBM), and a Loopback Reply (LBR). These Metro Ethernet CFM protocol elements quickly identify problems in the network.
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer operations, administration, and maintenance (OAM) protocol. It includes proactive connectivity monitoring, fault verification, and fault isolation for large Ethernet metropolitan-area networks (MANs) and WANs. Connectivity Fault Management (CFM) is the indispensable capability that service providers require to deploy large-scale, multivendor Metro Ethernet services. This feature upgrades the implementation of CFM to be compliant with the IEEE 802.1ag with the current standard, 802.1ag-2007 and implementation of CFM over L2VFI (Layer 2 Virtual Forwarding Instance Information), cross connect, EVC, and Switchport.
Key CFM mechanisms are:
•
•
•
•
For more information on CFM, see Cisco IOS Carrier Ethernet Configuration Guide, Release 12.2SR at http://www.cisco.com/en/US/docs/ios-xml/ios/cether/configuration/12-2sr/ce-cfm-ieee.html.
For more information about the commands used in this section, see Cisco IOS Ethernet Command Reference Guide at http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
SSupported Line Cards
Use the ethernet cfm global command to enable the CFM D8.1 feature on the following line cards:
•
•
•
•
Table 4-30and Table 4-31 display the complete support matrix for the CFM D8.1 feature.
Note
Table 4-30
Supported Matrix1
Table 4-31
Supported Matrix 2
Scalable Limits
Table 4-32 maps the supported interfaces with the CFM points and their scalability values.
Table 4-32
Scalable Limits
Supported Interfaces
Table 4-33 maps the supported interfaces with the CFM points and their scalability values:
Table 4-33
Supported Interfaces
Restrictions and Usage Guidelines
When configuring CFM D8.1, follow these restrictions and usage guidelines:
•
•
•
•
•
•
•
•
•
Sample D1 configuration during migration:
Router(config-srv)#
Router(config-if-srv)#Sample configuration to avoid the migration issue:
Router(config-if-srv)#
Router(config-if)#
Router(config)#SUMMARY STEPS (COMMON CONFIGURATIONS FOR EVC, SWITCHPORT, AND ROUTED PORTS)
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS (COMMON CONFIGURATIONS FOR EVC, SWITCHPORT, AND ROUTED PORTS)
SUMMARY STEPS TO CONFIGURE CFM MEP AND MIP ON A EVC
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS TO CONFIGURE CFM MEP AND MIP ON A EVC
SUMMARY STEPS TO CONFIGURE CFM MEP AND MIP ON A SWITCH PORT
1.
2.
3.
4.
5.
6.
or
7.
8.
DETAILED STEPS TO CONFIGURE CFM MEP AND MIP ON A SWITCHPORT
SUMMARY STEPS TO CONFIGURE CFM MEP ON A ROUTED PORT
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS TO CONFIGURE CFM MEP ON A ROUTED PORT
Verification
Use the following commands to verify operation.
Example
The following example shows a configuration of MEP in a switchport:
ethernet cfm domain L4 level 4service s41 evc 41 vlan 41continuity-checkint TenGigabitEthernet2/0/0switchportswitchport mode trunkethernet cfm mep domain L4 mpid 1 vlan 41The following example shows a configuration of MIP in a switchport:
ethernet cfm domain L4 level 4service s41 evc 41 vlan 41continuity-checkint TenGigabitEthernet2/0/0switchportswitchport mode trunkethernet cfm mip level 4 vlan 10The following example shows a configuration of MEP in a EVC bridge domain:
ethernet cfm domain L4 level 4service s41 evc 41 vlan 41continuity-checkint TenGigabitEthernet4/0/0service instance 41 ethernet 41encapsulation dot1q 41bridge-domain 41cfm mep domain L4 mpid 4001The following example shows a configuration of MIP in a EVC bridge domain:
ethernet cfm domain L4 level 4service s41 evc 41 vlan 41continuity-checkint TenGigabitEthernet4/0/0service instance 41 ethernet 41encapsulation dot1q 41bridge-domain 41cfm cfm mip level 4The following example shows a configuration of MEP on a routed port:
ethernet cfm domain routed level 5service s2 evc 2 vlan 2 direction downcontinuity-check
Router(config-if)#no ip addressno mls qos trustethernet cfm mep domain routed mpid 4001 vlan 4001interface GigabitEthernet8/0/0.10encapsulation dot1Q 10The following example shows CFM configuration over a EVC with cross connect in the global domain configuration mode:
ethernet cfm domain L6 level 6service xconn evc xconncontinuity-checkThe following example shows CFM configuration over a EVC with cross connect in the interface configuration mode:
ethernet cfm domain L6 level 6service s100 evc 100continuity-checkinterface Port-channel10no ip addressservice instance 100 ethernet 100encapsulation dot1q 200xconnect 3.3.3.3 1 encapsulation mplscfm mep domain L6 mpid 602cfm mip level 7CFM over EFP Interface with xconnect
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation. Currently, Ethernet CFM supports Up facing and Down facing Maintenance Endpoints (MEPs). For information on Ethernet Connectivity Fault Management, see http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html
The CFM over EFP Interface with xconnect feature allows you to:
•
•
•
Restrictions and Usage Guidelines
When configuring CFM over EFP Interface with cross connect, follow these restrictions and usage guidelines:
•
–
–
•
•
•
•
Configuring CFM over EFP with xconnect for the Cisco 7600 Router
This section describes how to configure REP over EVC for the Cisco 7600 router:
•
•
•
•
•
•
Configuring CFM over EFP Interface with Cross Connect—Basic Configuration
This section describes how to configure CFM over EFP Interface with cross connect.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Examples
This example shows how to configure CFM over EVC using cross connect.
PE3#conf terminalEnter configuration commands, one per line. End with CNTL/Z.PE3(config)#ethernet cfm domain L6 level 6PE3(config-ecfm)# service s256 evc 256PE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#Configuring CFM over EFP Interface with Cross Connect—Single Tag VLAN Cross Connect
This section describes how to configure CFM over EFP Interface with Single Tag VLAN cross connect.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Single Tag VLAN cross connect:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#Configuring CFM over EFP Interface with Cross Connect—Double Tag VLAN Cross Connect
This section describes how to configure CFM over EFP Interface with Double Tag VLAN cross connect.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Double Tag VLAN cross connect:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256 second-dot1q 257PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#Configuring CFM over EFP Interface with Cross Connect—Selective QinQ Cross Connect
This section describes how to configure CFM over EFP Interface with Selective QinQ cross connect.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Selective QinQ cross connect:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256 second-dot1q 257 cos 7PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#Configuring CFM over EFP Interface with Cross Connect—Port-Based Cross Connect Tunnel
This section describes how to configure CFM over EFP Interface with Port-Based cross connect Tunnel.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Port-Based cross connect Tunnel:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int ten 2/0/0PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endPE3#Configuring CFM over EFP Interface with Cross Connect—Port Channel-Based Cross Connect Tunnel
This section describes how to configure CFM over EFP Interface with Port Channel-Based cross connect Tunnel.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Port Channel-Based cross connect Tunnel:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int port-20PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endVerification
Use the following commands to verify a configuration:
•
Router-30-PE1#show ethernet cfm ma localLocal MEPs:--------------------------------------------------------------------------------MPID Domain Name Lvl MacAddress Type CCDomain Id Dir Port IdMA Name SrvcInstEVC name--------------------------------------------------------------------------------1 L6 6 000a.f393.56d0 XCON YL6 Down Te2/0/0 N/Abbb 1bbb3 L5 5 0007.8478.4410 XCON YL5 Up Te2/0/0 N/Abbb 1bbbTotal Local MEPs: 2Local MIPs:* = MIP Manually Configured--------------------------------------------------------------------------------Level Port MacAddress SrvcInst Type Id--------------------------------------------------------------------------------7 Te2/0/0 0007.8478.4410 1 XCON N/ATotal Local MIPs: 1•
Router-30-PE1#show ethernet cfm ma remote--------------------------------------------------------------------------------MPID Domain Name MacAddress IfSt PtStLvl Domain ID IngressRDI MA Name Type Id SrvcInstEVC Name Age--------------------------------------------------------------------------------4 L5 000a.f393.56d0 Up Up5 L5 Te2/0/0:(2.2.2.2, 1)- bbb XCON N/A 1bbb 9s2 L6 000a.f393.56d0 Up Up6 L6 Te2/0/0:(2.2.2.2, 1)- bbb XCON N/A 1bbb 1sTotal Remote MEPs: 2•
PE2#show ethernet cfm mpdb* = Can Ping/Traceroute to MEP--------------------------------------------------------------------------------MPID Domain Name MacAddress VersionLvl Domain ID IngressExpd MA Name Type Id SrvcInstEVC Name Age--------------------------------------------------------------------------------600 * L6 0021.d8ca.d7d0 IEEE-CFM6 L6 Te2/1:(2.2.2.2, 1)- s1 XCON N/A 11 2s700 L7 001f.cab7.fd01 IEEE-CFM7 L7 Te2/1:(2.2.2.2, 1)- s1 XCON N/A 11 3sTotal Remote MEPs: 2•
PE1#sh mpls l2 vc 1 detaLocal interface: Te8/0/1 up, line protocol up, Eth VLAN 200 upInterworking type is EthernetDestination address: 3.3.3.3, VC ID: 1, VC status: upOutput interface: Te8/0/0, imposed label stack {21}Preferred path: not configuredDefault path: activeNext hop: 20.1.1.2Create time: 21:13:27, last status change time: 02:55:33Signaling protocol: LDP, peer 3.3.3.3:0 upTargeted Hello: 2.2.2.2(LDP Id) -> 3.3.3.3, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast local SSS circuit status rcvd: No faultLast local SSS circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 21, remote 21Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)VC statistics:transit packet totals: receive 37, send 1067452272transit byte totals: receive 4181, send 72586757556transit packet drops: receive 0, seq error 0, send 0•
PE1#show mpls forwarding-tableLocal Outgoing Prefix Bytes Label Outgoing Next HopLabel Label or Tunnel Id Switched interface17 Pop Label 3.3.3.3/32 23038746624 Te8/0/0 20.1.1.221 No Label l2ckt(1) 4181 Te8/0/1 point2point•
PE2#show ethernet cfm error--------------------------------------------------------------------------------MPID Domain Id Mac Address Type Id LvlMAName Reason Age--------------------------------------------------------------------------------- L3 001d.45fe.ca81 BD-V 200 3s2 Receive AIS 8sPE2#Configuring CFM over EFP Interface with xconnect—Port Channel-Based xconnect Tunnel
Use the following commands at the customer facing port:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
This example shows how to configure CFM over EFP Interface with Port Channel-Based xconnect Tunnel:
PE3(config)#ethernet cfm domain L2 level 2PE3(config-ecfm)# service s256 evc 256 direction downPE3(config-ecfm-srv)# continuity-checkPE3(config-ecfm-srv)#endPE3#PE3(config)#int port-20PE3(config-if)#no ip addressPE3(config-if)# service instance 256 ethernet 256PE3(config-if-srv)# encapsulation dot1q 256PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mplsPE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256PE3(config-if-srv-ecfm-mep)#endVerification
Use the following commands to verify a configuration:
•
Router-30-PE1#show ethernet cfm ma localLocal MEPs:--------------------------------------------------------------------------------MPID Domain Name Lvl MacAddress Type CCDomain Id Dir Port IdMA Name SrvcInstEVC name--------------------------------------------------------------------------------1 L6 6 000a.f393.56d0 XCON YL6 Down Te2/0/0 N/Abbb 1bbb3 L5 5 0007.8478.4410 XCON YL5 Up Te2/0/0 N/Abbb 1bbbTotal Local MEPs: 2Local MIPs:* = MIP Manually Configured--------------------------------------------------------------------------------Level Port MacAddress SrvcInst Type Id--------------------------------------------------------------------------------7 Te2/0/0 0007.8478.4410 1 XCON N/ATotal Local MIPs: 1•
Router-30-PE1#show ethernet cfm ma remote--------------------------------------------------------------------------------MPID Domain Name MacAddress IfSt PtStLvl Domain ID IngressRDI MA Name Type Id SrvcInstEVC Name Age--------------------------------------------------------------------------------4 L5 000a.f393.56d0 Up Up5 L5 Te2/0/0:(2.2.2.2, 1)- bbb XCON N/A 1bbb 9s2 L6 000a.f393.56d0 Up Up6 L6 Te2/0/0:(2.2.2.2, 1)- bbb XCON N/A 1bbb 1sTotal Remote MEPs: 2•
PE2#show ethernet cfm mpdb* = Can Ping/Traceroute to MEP--------------------------------------------------------------------------------MPID Domain Name MacAddress VersionLvl Domain ID IngressExpd MA Name Type Id SrvcInstEVC Name Age--------------------------------------------------------------------------------600 * L6 0021.d8ca.d7d0 IEEE-CFM6 L6 Te2/1:(2.2.2.2, 1)- s1 XCON N/A 11 2s700 L7 001f.cab7.fd01 IEEE-CFM7 L7 Te2/1:(2.2.2.2, 1)- s1 XCON N/A 11 3sTotal Remote MEPs: 2•
PE1#sh mpls l2 vc 1 detaLocal interface: Te8/0/1 up, line protocol up, Eth VLAN 200 upInterworking type is EthernetDestination address: 3.3.3.3, VC ID: 1, VC status: upOutput interface: Te8/0/0, imposed label stack {21}Preferred path: not configuredDefault path: activeNext hop: 20.1.1.2Create time: 21:13:27, last status change time: 02:55:33Signaling protocol: LDP, peer 3.3.3.3:0 upTargeted Hello: 2.2.2.2(LDP Id) -> 3.3.3.3, LDP is UPStatus TLV support (local/remote) : enabled/supportedLDP route watch : enabledLabel/status state machine : established, LruRruLast local dataplane status rcvd: No faultLast local SSS circuit status rcvd: No faultLast local SSS circuit status sent: No faultLast local LDP TLV status sent: No faultLast remote LDP TLV status rcvd: No faultLast remote LDP ADJ status rcvd: No faultMPLS VC labels: local 21, remote 21Group ID: local 0, remote 0MTU: local 1500, remote 1500Remote interface description:Sequencing: receive disabled, send disabledControl Word: On (configured: autosense)VC statistics:transit packet totals: receive 37, send 1067452272transit byte totals: receive 4181, send 72586757556transit packet drops: receive 0, seq error 0, send 0•
PE1#show mpls forwarding-tableLocal Outgoing Prefix Bytes Label Outgoing Next HopLabel Label or Tunnel Id Switched interface17 Pop Label 3.3.3.3/32 23038746624 Te8/0/0 20.1.1.221 No Label l2ckt(1) 4181 Te8/0/1 point2point•
PE2#show ethernet cfm error--------------------------------------------------------------------------------MPID Domain Id Mac Address Type Id LvlMAName Reason Age--------------------------------------------------------------------------------- L3 001d.45fe.ca81 BD-V 200 3s2 Receive AIS 8sPE2#Troubleshooting CFM Features
Table 4-34 provides troubleshooting solutions for the CFM features.
Table 4-34
When you configure CFM, the message "Match registers are not available" is displayed.
Use the show platform mrm info command on the SP console to verify the match registers. Based on the derived output, perform these tasks:
1.
2.
3.
4.
For more information on match registers, see Ethernet Connectivity Fault Management at http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html.
CFM uses two match registers to identify the control packet type and each VLAN spanning tree also uses a match register to identify its control packet type. For both protocols to work on the same system, each line card should support three match registers, and at least one supporting only a 44 bit MAC match.
CFM configuration errors
CFM configuration error occurs when when a MEP receives a continuity check with an overlapping MPID. To verify the source of the error, use the command show ethernet cfm errors configuration or show ethernet cfm errors.
CFM ping and traceroute result is "not found"
Complete these steps:
1.
2.
3.
4.
CFM connectivity is down and issues at the maintenance domain levels
Use the ping ethernet {mac-address | mpid id | multicast} domain domain-name { vlan vlan-id | port | evc evc-name } or traceroute ethernet {mac-address | mpid id } domain domain-name { vlan vlan-id | port | evc evc-name } commands to verify ethernet CFM connectivity. Share the output with TAC for further investigation.
Loop trap error
Use the show ethernet cfm error command to check for Loop Trap errors as shown here:
CE(config-if)#do sh ethernet cfm err-------------------------------------------------- -----------------------------Level Vlan MPID Remote MAC Reason Service ID-------------------------------------------------- -----------------------------5 711 550 1001.1001.1001 Loop Trap Error OUTPE#sh ethernet cfm err-------------------------------------------------- -----------------------------Level Vlan MPID Remote MAC Reason Service ID-------------------------------------------------- -----------------------------5 711 550 1001.1001.1001 Loop Trap Error OUTModule has insufficient match registers
Complete these steps:
1.
2.
CFM is deactivated
Complete these steps:
1.
2.
ethernet cfm logging
In a scale scenario, you configure either the console logging rate-limiting using logging rate-limit or using logging buffered instead of using logging console. The suggested rate-limit is around 30 messages per second.
Troubleshooting Scenarios for CFM features
802.1ah: Configuring the MAC Tunneling Protocol
The MAC Tunneling Protocol (MTP) feature is based on the IEEE 802.1ah standard and provides VLAN and MAC scalability. This feature extends the Cisco QinQ (the IEEE 802.1ad standard) capability to support highly scalable Provider Backbone Architecture (PBA). MTP allows a service provider to interconnect multiple Provider Bridged Networks (PBNs) that support a minimum 10,48,576 (2 to the 20th power) Service VLANS and extend the MAC address scalability.
With this feature, you can scale a Provider Bridged P802.1ad network using an existing Bridged and Virtual Bridged Local Area Network (VLAN) deployment. Although the current Cisco QinQ capability provides VLAN scaling, this feature extends the scaling and interoperability between multiple vendors.
Bridges in a Provider Backbone Bridged Network (PBBN) need to learn the MAC address of each host to make forwarding decisions. MTP resolves this need for MAC address learning by encapsulating both the data packet and MAC addresses (source and destination) into a new Ethernet frame. The header of the new Ethernet frame contains:
•
•
•
•
The MAC scalability is implemented using the B-MACs. Since the new Ethernet frames are encapsulated with MAC address (host) while traversing the PBBN, a bridge needs to learn the B-MACs only. The MAC addresses of hosts are hidden from the Provider Backbone Bridges (PBB), resulting in the PBBridges to learn only the provider MAC address, irrespective of the number of hosts or the number of host MAC addresses supported. Since the data packets are sent to specific MAC addresses, the 802.1ah cloud is not flooded with unnecessary traffic. A MAC address is a static entry in the MAC address table on the Backbone Core Bridge.
The VLAN scalability is implemented using the I-SID. The MTP achieves VLAN scalability by using a backbone VLAN TAG with a 12-bit B-VID and the Service Instance TAG with a 24-bit Service Instance ID to provide the VLAN scalability necessary to map large number of customers.
Figure 4-10 shows the basic MTP network deployment.
Figure 4-10 MTP Network Deployment
MTP Software Architecture
The encapsulation and decapsulation of MAC addresses is performed on a Backbone Edge Bridge (BEB) at the edge of the PBBN. A BEB can be an I-Bridge (I-BEB), a B-Bridge (B-BEB), or an IB-Bridge (IB-BEB). Currently, MTP is supported only with the IB-BEB functionality.
Figure 4-11 shows the MTP software architecture.
Figure 4-11 MTP Software Architecture
IB Backbone Edge Bridge
An IB-BEB consists of one B-Component and one or more I-Components. The IB-BEB provides the functionality to select the B-MAC and insert I-SIDs based on the supported tags. It also validates the I-SIDs and transmits or receives the frames on the B-VLAN.
The iIEEE 802.1ah draft describes two types of customer-facing interfaces supported by IB-BEB:
•
–
–
•
MTP supports both type of interfaces.
Data Plane Processing
The packets on the ingress EFP are tunneled to the appropriate MAC tunnel using the C-MAC bridge domain. For multiple EFPs using the same I-SID, the switching among EFPs is done using the C-MAC bridge domain. Local switching is performed across all the ports in the bridge domain even if they span multiple tunnel engines.
MTP Configuration
Table 4-35 lists the relationship between the various entities in a Cisco 7600 Series Router for MTP implementation.
Figure 4-12 show N to N relationship within a Cisco 7600 Series Router:
Figure 4-12 N to N relationship within a Cisco 7600 Series Router
Scalability Information
Table 4-36 lists scalability information for MTP.
Table 4-36 Scalability Information for MTP
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when configuring the MAC Tunneling Protocol on an ES40 line card:
•
•
•
•
•
•
•
•
•
Configuring the MTP for the Cisco 7600 Router
This section describes how to configure MTP for Cisco 7600 Router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPS
Examples
This example shows how to configure MTP for Cisco 7600 Routers:
Router>enableRouter#configure terminalRouter(config)#interface GigabitEthernet 3/1Router(config-if)#service instance 20 ethernetRouter(config-if-srv)#encapsulation dot1q 40 second-dot1q 42Router(config-if-srv)#rewrite ingress tag pop 1 symmetricRouter(config-if-srv)#bridge-domain 21 c-macRouter(config-if-srv)#exitRouter(config-if)#exitRouter(config)#ethernet mac-tunnel virtual 22Router(config-tunnel-minm)#bridge-domain 200Router(config-tunnel-minm)#service in 23 ethernetRouter(config-tunnel-srv)#encapsulation dot1ah isid 24Router(config-tunnel-srv)#bridge-domain 21 c-macRouter(config-tunnel-srv)#exitRouter(config-tunnel-minm)#exitRouter(config)#exitVerification
Use the following commands to verify the MTP configuration and view the related information.
•
Router#sh platform mtp slot 3SLOT TUNNELENGINE VLAN_LIST3 MacTunnelEngine3/0 2003 MacTunnelEngine3/13 MacTunnelEngine3/23 MacTunnelEngine3/3•
Router#sh platform mtp c_bd 21C_BD B_BD SLOT PPE C_BD_COUNT21 200 3 0 1Router#•
Router#sh platform mtp b_bd 200B_BD SLOT PPE B_BD_COUNT200 3 0 1Router#•
Router#sh platform mtp befp 23BEFP C_BD B_BD SLOT PPE C_BD_COUNT23 21 200 3 0 1Router#Troubleshooting
Table 4-37 provides troubleshooting solutions for the MAC Tunnelling feature.
Table 4-37 Troubleshooting Scenarios
802.3ah: Dying Gasp and Remote Loopback Initiation
Faults in Ethernet connectivity that are caused by slowly deteriorating quality are difficult to detect. Ethernet OAM provides a mechanism for an OAM entity to convey these failure conditions to its peer through specific flags in the OAM PDU. The following failure conditions can be communicated:
•
•
•
In Remote Loopback mode, an OAM entity can put its remote peer into loopback mode using the loopback control OAM PDU. Loopback mode helps an administrator ensure the quality of links during installation or when troubleshooting. In the loopback mode, every frame received is transmitted back on the same port except for OAM PDUs and pause frames. The periodic exchange of OAM PDUs must continue during the loopback state to maintain the OAM session.
Note
Restrictions for Dying Gasp and Remote Loopback Initiation
Following restrictions apply for Dying Gasp and Remote Loopback Initiation:
•
•
•
Configuring the Remote Loopback
Complete these steps to enable Ethernet OAM remote loopback on an interface:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring the Dying Gasp
You can configure an error-disable action to occur on an interface if one of the high thresholds is exceeded, if the remote link goes down, if the remote device is rebooted, or if the remote device disables Ethernet OAM on the interface.
Complete these steps to enable Ethernet OAM remote-failure indication actions on an interface:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuration Examples
This example shows how to configure the remote loopback initiation:
Router> enableRouter# configure terminalRouter#(config) interface gigabitethernet 1/7Router(config-if)# ethernet oam remote-loopback supportedRouter(config-if)# endRouter#ethernet oam remote-loopback start interface gigabitEthernet 1/7This example shows how to configure the action on remote-failure reception:
Router> enableRouter# configure terminalRouter#(config) interface gigabitethernet 1/7Router(config-if)# ethernet oam remote-failure dying-gasp action error-disable-interfaceRouter(config-if)# endVerification
This example shows how to verify the configuration:
Router# show ethernet oam status interface gigabitethernet1/7GigabitEthernet1/7General-------Admin state: enabledMode: activePDU max rate: 10 packets per secondPDU min rate: 1 packet per 1 secondLink timeout: 5 secondsHigh threshold action: no actionLink fault action: no actionDying gasp action: error disable interfaceCritical event action: no actionLink Monitoring---------------Status: supported (on)Symbol Period ErrorWindow: 100 x 1048576 symbolsLow threshold: 1 error symbol(s)High threshold: noneFrame ErrorWindow: 10 x 100 millisecondsLow threshold: 1 error frame(s)High threshold: noneFrame Period ErrorWindow: 1000 x 10000 framesLow threshold: 1 error frame(s)High threshold: noneFrame Seconds ErrorWindow: 100 x 100 millisecondsLow threshold: 1 error second(s)High threshold: noneReceive-Frame CRC ErrorWindow: 10 x 100 millisecondsLow threshold: 10 error frame(s)High threshold: noneTransmit-Frame CRC ErrorWindow: 10 x 100 millisecondsLow threshold: 10 error frame(s)High threshold: noneThis example shows the summary of the remote loopback configuration and the status of the operation:
P19_C7609-S#show ethernet oam summarySymbols: * - Master Loopback State, # - Slave Loopback State& - Error Block StateCapability codes: L - Link Monitor, R - Remote LoopbackU - Unidirection, V - Variable RetrievalLocal RemoteInterface MAC Address OUI Mode CapabilityGi1/7 - - - -Support for IEEE 802.1ad
Provider networks handle traffic from a large number of customers. It is important that one customer's traffic is isolated from the other customer's traffic. IEEE 802.1ad implements standard protocols for double tagging of data. The data traffic coming from the customer side are double tagged in the provider network where the inner tag is the customer-tag (C-tag) and the outer tag is the provider-tag (S-tag). The control packets are tunneled by changing the destination MAC address in the provider network.
Cisco 7600 series routers already support VLAN double tagging through a feature called QinQ. 802.1ad is the standardized version of QinQ. It also extends the support for Layer 2 Protocol Tunneling Protocol (L2PT). By offering transparent Layer 2 connectivity, the service provider does not get involved in the customer's Layer 3 network. This makes provisioning and maintenance simple, and reduces the operational cost.
Prerequisites for IEEE 802.1ad
•
Restrictions for IEEE 802.1ad
Follow these restrictions and guidelines when you configure 802.1ad:
•
•
•
•
•
Information About IEEE 802.1ad
To configure IEEE 802.1ad support, you should understand the following concepts:
•
How Provider Bridges Work
Provider bridges pass the network traffic of many customers, and each customer's traffic flow must be isolated from one another. For the Layer 2 protocols within customer domains to function properly, geographically separated customer sites must appear to be connected through a LAN, and the provider network must be transparent.
The IEEE has reserved 33 Layer 2 MAC addresses for customer devices operating Layer 2 protocols. If a provider bridge uses these standard MAC addresses for its Layer 2 protocols, the customers' and service provider's Layer 2 traffic will be mixed together. Provider bridges solve this traffic-mixing issue by providing Layer 2 protocol data unit (PDU) tunneling for customers using a provider bridge (S-bridge) component and a provider edge bridge (C-bridge) component. Figure 4-13 shows the topology.
Figure 4-13
Layer 2 PDU Tunneling
S-Bridge Component
The S-bridge component is capable of inserting or removing a service provider VLAN (S-VLAN) for all traffic on a particular port. IEEE 802.1ad adds a new tag called a Service tag (S-tag) to all the ingress frames from a customer to the service provider.
The VLAN in the S-tag is used for forwarding the traffic in the service provider network. Different customers use different S-VLANs, which results in each customer's traffic being isolated. In the S-tag, provider bridges use an Ethertype value that is different from the standard 802.1Q Ethertype value, and do not understand the standard Ethertype. This difference makes customer traffic tagged with the standard Ethertype appear as untagged in the provider network so customer traffic is tunneled in the port VLAN of the provider port. The 802.1ad service provider user network interfaces (S-UNIs) and network to network interfaces (NNIs) implement the S-bridge component.
For example, a VLAN tag has a VLAN ID of 1, the C-tag Ethertype value is 8100 0001, the S-tag Ethertype value is 88A8 0001, and the class of service (CoS) is zero.
C-tag S-tag
------------------------------------------------------- -----------------------------------------------
0x8100 | Priority bits | CFI | C-VLAN-ID 0x88A8 | Priority bits | 0 | S-VLAN-ID
------------------------------------------------------- -----------------------------------------------
C-Bridge Component
All the C-VLANs entering on a UNI port in an S-bridge component are provided the same service (marked with the same S-VLAN). Although, C-VLAN components are not supported, a customer may want to tag a particular C-VLAN packet separately to differentiate between services. Provider bridges allow C-VLAN packet tagging with a provider edge bridge, called the C-bridge component of the provider bridge. C-bridge components are C-VLAN aware and can insert or remove a C-VLAN 802.1Q tag. The C-bridge UNI port is capable of identifying the customer 802.1Q tag and inserting or removing an S-tag on the packet on a per service instance or C-VLAN basis. A C-VLAN tagged service instance allows service instance selection and identification by C-VLAN. The 802.1ad customer user network interfaces (C-UNIs) implement the C-component.
MAC Addresses for Layer 2 Protocols
Customers' Layer 2 PDUs received by a provider bridge are not forwarded, so Layer 2 protocols running in customer sites do not know the complete network topology. By using a different set of addresses for the Layer 2 protocols running in provider bridges, IEEE 802.1ad causes customers' Layer 2 PDUs entering the provider bridge to appear as unknown multicast traffic and forwards it on customer ports (on the same S-VLAN). Customers' Layer 2 protocols can then run transparently.
Table 4-38 shows the Layer 2 MAC addresses reserved for the C-VLAN component.
Table 4-39 shows the Layer 2 MAC addresses reserved for an S-VLAN component. These addresses are a subset of the C-VLAN component addresses, and the C-bridge does not forward the provider's bridge protocol data units (BPDUs) to a customer network.
Guidelines for Handling BPDU
The general BPDU guidelines are listed here:
UNI-C Ports
The guidelines pertaining to UNI-C ports are:
•
•
Table 4-40 shows the Layer 2 PDU destination MAC addresses for customer-facing C-bridge UNI ports, and how frames are processed.
UNI-S Ports
The guidelines pertaining to UNI-S ports are:
•
•
•
Table 4-41 shows the Layer 2 PDU destination MAC addresses for customer-facing S-bridge UNI ports, and how frames are processed.
NNI Ports
The Dot1add NNI ports behave in the same way as the customer facing S-bridge ports, with the following exceptions:
•
•
7600 Action Table
Table 4-42 lists the actions performed on a packet when the packet is received with a specified destination MAC address.
Interoperability of QinQ and Dot1ad
The interoperability of QinQ and Dot1ad network enables the exchange of data frames between the networks. The 802.1Q network outer tag VLANs are mapped to the provider S-VLANs of the 802.1ad network.
Figure 4-14 illustrates the interoperability of a Dot1ad network and a QinQ network.
Figure 4-14
Interoperability of Dot1ad Network and a QinQ Network
How to Configure IEEE 802.1ad
This section contains the information about following procedures:
•
•
•
•
•
•
•
•
Configuring a Switchport
A switchport can be configured as a UNI-C port, UNI-S port, or NNI port.
UNI-C Port
A UNI-C port can be configured as either a trunk port or an access port. Perform the following tasks to configure a UNI-C port as an access port for 802.1ad.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Perform the following tasks to configure a UNI-C port as a trunk port for 802.1ad.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
UNI-S Port
On a UNI-S port, all the customer VLANs that enter are provided with the same service. The port allows only access configuration. In this mode, the customer's port is configured as a trunk port. Therefore, the traffic entering the UNI-S port is tagged traffic.
Perform the following tasks to configure a UNI-S port as an access port for 802.1ad.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
NNI Port
NNI port allows only trunk configuration. On an NNI port, the frames received on all the allowed VLANs are bridged to the respective internal VLANs.
Perform the following tasks to configure an NNI port as a trunk port for 802.1ad.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to configure a UNI-C port as an access port. In this example, all the frames that are received are bridged to one internal VLAN 1000. The transmitted frames do not have the access VLAN Dot1q tag.
Router# configure terminalRouter(config)# interface gig2/1Router(config-if # ethernet dot1ad uni c-portRouter(config-if)# switchportRouter(config-if)# switchport mode accessRouter(config-if)# switchport access vlan 1000The following example shows how to configure a UNI-C port as a trunk port. In this example, all the frames that are received on all allowed VLANs (1000 and 2000) are bridged to the respective internal VLANs. The transmitted frames have the respective internal VLAN Dot1q tag.
Router# configure terminalouter(config)# interface gig2/1Router(config-if)# ethernet dot1ad uni c-portRouter(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport access vlan 1000, 2000
The following example shows how to configure a UNI-S port. In this example, all the frames that are received are bridged to one internal VLAN (999). The transmitted frames do not have the access VLAN Dot1q tag.
Router# configure terminalRouter(config)# interface gig2/1Router(config-if)# switchportRouter(config-if)# switchport mode accessRouter(config-if)# ethernet dot1ad uni s-portRouter(config-if)# switchport access vlan 999The following example shows how to configure an NNI port. Only trunk configuration is allowed on an NNI port. In this example, all the frames that are received on all the allowed VLANs (999) are bridged to the respective internal VLANs. The transmitted frames have the respective internal VLAN Dot1q tag.
Router# configure terminalRouter(config)# interface gig2/1Router(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# ethernet dot1ad nniRouter(config-if)# switchport trunk allowed vlan 999
The following example shows how to configure Dot1ad on an SVI:
Router# configure terminalRouter(config)# interface gig2/1Router(config-if)# ethernet dot1ad nniRouter(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 999
Router(config)# interface vlan 999
Router(config-if)# ip address 1.2.3.4 255.255.0.0Configuring a Layer 2 Protocol Forward
Perform the following tasks to configure the Layer 2 protocol forward:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example shows how to configure a Layer 2 protocol forward:
Router# configure terminalRouter(config)# interface gig3/0Router(config-if)# switchport access vlan 500Router(config-if)# ethernet dot1ad uni s-portRouter(config-if)# l2protocol forward vtpConfiguring a Switchport for Translating QinQ to 802.1ad
Translating a QinQ port to 802.1ad involves configuring the port connecting to QinQ port and NNI port.
Perform the following tasks to configure a port connecting to the QinQ port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to translate a QinQ port to 802.1ad. In this example, the peer router to gig1/1 multiplexes various customer VLANs into VLAN 1000.
Router# configure terminalRouter(config)# interface gig1/1Router(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1000
Router# configure terminalRouter(config)# interface gig4/0Router(config-if)# ethernet dot1ad nniRouter(config-if)# switchportRouter(config-if)# switchport mode trunkRouter(config-if)# switchport trunk allowed vlan 1000,1199
Configuring a Switchport (L2PT)
Configuring the switchport for L2PT is required to tunnel the STP packets from a customer on the dot1ad network to a customer on the QinQ network.
Perform the following tasks to configure the port connecting to the customer.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example shows how to tunnel the STP packets from a customer on the Dot1ad network to a customer on a QinQ network:
Router# configure terminalRouter(config)# interface gig1/0Router(config-if)# switchportRouter(config-if)# ethernet dot1ad uni s-portRouter(config-if)# no l2protocol forwardRouter(config-if)# l2protocol-tunnel stpRouter(config-if)# switchport mode access
Router# configure terminalRouter(config)# interface gig4/0Router(config-if)# switchportRouter(config-if)# ethernet dot1ad nniRouter(config-if)# switchport mode trunkConfiguring a Customer-Facing UNI-C Port with EVC
Perform the following tasks to configure a UNI-C port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Examples
The following example shows how to configure a customer-facing UNI port. In this example, a dot1q frame coming on VLAN 50 matches service instance 1, and on the ingress port, the rewrite command pushes the 1000 outer-vlan.
Router# configure terminalRouter(config)# interface gig1/1Router(config-if)# ethernet dot1ad uni c-portRouter(config-if)# service instance 1 ethernetRouter(config-if)# encapsulation dot1q 1-100Router(config-if)# bridge-domain 1000
Router(config-if)# service instance 2 ethernet
Router(config-if)# encapsulation dot1q 102-4904
Router(config-if)# bridge-domain 500
Router# configure terminalRouter(config)# interface gig4/1Router(config-if)# ethernet dot1ad nniRouter(config-if)# service instance 1 ethernetRouter(config-if)# encapsulation dot1q 1000 second dot1q 1-100Router(config-if)# rewrite ingress tag pop 1 symmetric Router(config-if)# bridge-domain 1000 Router(config-if)# service instance 2ethernetRouter(config-if)# encapsulation dot1q 500 second dot1q 102-4904Router(config-if)# rewrite ingress tag pop 1 symmetric
Router(config-if)# bridge-domain 500Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC
Perform the following tasks to configure a UNI-C port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to configure a customer-facing UNI-C port and switchport on NNI with EVC:
Router# configure terminalRouter(config)# interface gig1/1Router(config-if)# ethernet dot1ad uni c-portRouter(config-if)# service instance 1 ethernetRouter(config-if)# encapsulation dot1q 1-100Router(config-if)# bridge-domain 1000
Router(config-if)# service instance 2 ethernet
Router(config-if)# encapsulation dot1q 102-4904
Router(config-if)# bridge-domain 500
Router# configure terminalRouter(config)# interface gig4/0Router(config-if)# switchport
Router(config-if)# ethernet dot1ad uni
Router(config-if)# switchport mode trunk
Router(config-if)# switchport allowed vlan 1000,500Configuring a Customer-Facing UNI-S Port with EVC
Perform the following tasks to configure a UNI-S port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
The following example shows how to configure an NNI port:
Router# configure terminalRouter(config)# interface gig1/1Router(config-if)# service instance 1 ethernetRouter(config-if)# ethernet dot1ad nniRouter(config-if)# encapsulation dot1q 1000Router(config-if)# rewrite ingress tag pop 1 symmetric Router(config-if)# bridge-domain 1000Configuring a Layer 3 Termination
Perform the following tasks to configure a Layer 3 termination.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to configure a Layer 3 termination. Note that Layer 3 is supported only on trunk interfaces.
Router# configure terminalRouter(config)# interface gig3/0Router(config-if)# ethernet dot1ad nniRouter(config)# interface gig3/0/0.1Router(config-if)# encapsulation dot1q 10 second dot1q 10Router(config-if)# ip address 1.2.3.4 255.255.0.0
The following example shows how to configure a Layer 3 termination on an SVI:
Router# configure terminalRouter(config)# interface gig4/1Router(config-if)# ethernet dot1ad nniRouter(config-if)# service instance 1 ethernetRouter(config-if)# encapsulation dot1q 200 second dot1q 300Router(config-if)# rewrite ingress tag pop 2 symmetric Router(config-if)# bridge-domain 50 Router(config-if)# service instance 2 ethernetRouter(config-if)# encapsulation dot1q 300Router(config-if)# rewrite ingress tag pop 1 symmetric Router(config-if)# bridge-domain 60Router(config)# interface vlan 50Router(config-if)# ip address 2.3.4.5 255.255.0.0
Router(config)# interface vlan 60Router(config-if)# ip address 3.4.5.6 255.255.0.0
Displaying a Dot1ad Configuration
You can display a Dot1ad configuration using the show ethernet dot1ad command. This command displays the Dot1ad configuration for all interfaces. To display the configuration on a particular interface, use the show ethernet dot1ad interface command.
The following example shows how to display a Dot1ad configuration on all interfaces:
Router# show ethernet dot1adInterface: GigabitEthernet4/0/1DOT1AD C-Bridge PortL2protocol pass cdp stp vtp dtp pagp dot1x lacpInterface: GigabitEthernet4/0/2DOT1AD C-Bridge PortL2protocol pass cdp stp vtp dtp pagp dot1x lacpTroubleshooting Dot1ad
The following section describes how to troubleshoot Dot1ad.
Note
•
Run the following command to verify the Dot1ad configuration:
XYZ-PE1-dfc1# show platform npc switchport interface gi 1/2[GigabitEthernet1/2]status [valid, -, applied, enabled]src_index [0x1]rpcb [0x178BB9C4]xlif_id [4097]xlif_handle [type:[3] hwidb:[0x20E97F08] if_number:[1121]]ft_bits [0x2]ing_ctrl_ft_bits [0x2]egr_ctrl_ft_bits [0x2]port vlan [1]mode ingress [NORMAL] egress [NORMAL]dot1q_tunnel [No]native tagging [No]PVLAN isolated or community [No] promiscuous [No]ingress vlan-translation [No] BPDU [No]egress vlan-translation [No] BPDU [No]dot1ad [Yes] <<<<<<<<<<<<ethertype [0x88A8] <<<<<<<<<<<Ingress Stat ID: 778698Egress Stat ID: 778700VLAN List:1num of vlans [1]XYZ-PE1-dfc1#•
Run the following command to verify the Dot1ad configuration:
XYZ-PE1-dfc1# show platform npc xlif interface gi 1/2 efp 1EFP XLIF(GigabitEthernet1/2, efp1)[np0] = 4136Ingress XLIF table fieldsFeature common enable: 0x1Feature enable: 0x1Feature bits: 0x1Control common bits: 0x0Control feature bits: 0x0Control rewrite opcode: 0x0Reserved 1: 0x0Match cond 0x1Entry valid: 0x1Dbus VLAN: 30QoS policy ID: 0ACL ID: 0Statistics ID: 450976Inner rewrite VLAN: 0Outer rewrite VLAN: 0QoS flow ID: 0Feature data: 00000000 40000000 AAA80000 E0000829EFP admin down state 0x0----- Bridge data ------layer2_acl_index: 0x00000000evc_feat_data.ip_src_guard : 0x0evc_feat_data.mst_evc : 0x1evc_feat_data.layer2_acl : 0x0EVC - Mac Security: 0x0evc_feat_data.sacl : 0x0evc_feat_data.layer2_acl_statid: 0PDT: 0xAAA8ipsg_label: 0block_data: 0x0block_l2bpdu: 0x0split_h: 0x0imp_ltl: 0x0829EFP dot1ad port type 0x3 <<<<<<<<EFP CDP forward 0x1 <<<<<<<<EFP DTP forward 0x0EFP VTP forward 0x0EFP STP forward 0x0EFP DOT1X forward 0x0Egress XLIF table fieldsFeature common enable: 0x1Feature enable: 0x1Feature bits: 0x01Control common bits: 0x00Control feature bits: 0x00Control rewrite opcode: 0x00Port: 0x1Match cond 0x1Entry valid: 0x1Dbus VLAN: 30QoS policy ID: 0ACL ID: 0Statistics ID: 450980Inner rewrite VLAN: 0Outer rewrite VLAN: 0QoS flow ID: 0IP Session en : 0Multicast en : 0Feature data 0 0x00000000Intf etype: 0x00008064Post Filter Opcode 0x00000008Pre Filter Opcode 0x00000000Pre Tag Outer 0x00000000Pre Tag Inner 0x00000000Post Filter Vlan high 0x00000064Post Filter Vlan low 0x00000064Post Filter Vlan outer 0x00000000EVC - MST: 0x1EVC etype 0x8100CFM MEP Level 0x00000008CFM MIP Level 0x00000008CFM disable 0x0MIP filtering 0x0block_data: 0x0block_l2bpdu: 0x0sacl: 0x0sacl index: 0x0000sacl statid: 0x00000XYZ-PE1-dfc1#XYZ-PE1-dfc1#•
Run the following command to verify the L2protocol forwarding:
XYZ-PE1-dfc1# show platform npc xlif 0 port_sram 1........................dot1ad port type: 0x0002 <<<<<<<<<l2proto cdp fwd: 0x0001 <<<<<<<<<l2proto dtp fwd: 0x0000l2proto vtp fwd: 0x0000l2proto stp fwd: 0x0000l2proto dot1x fwd: 0x0000..............................................•
For switchports, run the following command:
XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg port <port-num>For EVCs, run the following command:
XYZ-PE1-dfc1# show platform soft efp-client interface gi x/0/y efp-id l2protocfgTo display the default values, run the following commands:
XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults ?<0-2> 0=c-uni, 1=s-uni, 2=nniXYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults 0 ?<0-2> 0=L3, 1=BD, 2=XCONXYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults 0 2Raw Data :000FFF77 FFFCFF51L2 Proto Configs :Protocol IEEE CISCO------------------------------------CDP : FRWD FRWDVTP : FRWD FRWDDTP : FRWD FRWDOthers : PEER PEER802.1d protocols : 01:80:C2:00:00:XXXX | Config XX | Config XX | Config XX | Config----------- ----------- ----------- -----------00 : PEER 01 : DROP 02 : PEER 03 : PEER04 : FRWD 05 : FRWD 06 : FRWD 07 : FRWD08 : DROP 09 : FRWD 0A : FRWD 0B : FRWD0C : FRWD 0D : FRWD 0E : FRWD 0F : FRWDAll Bridge (0180C2000010)= FRWDGroup = PEERPVST = FRWDY.1731 Performance Monitoring
When service providers sell connectivity services to a subscriber, a Service Level Agreement (SLA) is reached between the buyer and seller of the service. The SLA defines the attributes offered by a provider and serves as a legal obligation on the service provider. As the level of performance required by subscribers increases, service providers need to monitor the performance parameters being offered. In order to capture the needs of the service providers, organizations have defined various standards such as IEEE 802.1ag and ITU-T Y.1731 that define the methods and frame formats used to measure performance parameters.
Y.1731 Performance Monitoring (PM) provides a standard ethernet PM function that includes measurement of ethernet frame delay, frame delay variation, frame loss, and frame throughput measurements specified by the ITU-T Y-1731 standard and interpreted by the Metro Ethernet Forum (MEF) standards group. As per recommendations, the 7600 platform should be able to send, receive and process PM frames in intervals of 10ms (100 frames per second) with the maximum recommended transmission period being 100ms (10 frames per second) for any given service.
To measure SLA parameters such as frame delay or frame delay variation, a small number of synthetic frames are transmitted along with the service to the end point of the maintenance region, where the Maintenance End Point (MEP) responds to the synthetic frame. For a function such as connectivity fault management, the messages are sent less frequently, while performance monitoring frames are sent more frequently.
Figure 4-15 illustrates Maintenance Entities (ME) and Maintenance End Points (MEP) typically involved in a point-to-point metro ethernet deployment for the Y.1731 standard.
Figure 4-15 A point-to-point metro Ethernet deployment with typical Maintenance Entities and Maintenance Points
Following are the performance monitoring parameters:
•
•
•
Connectivity
The first step to performance monitoring is verifying the connectivity. Continuity Check Messages (CCM) are best suited for connectivity verification, but is optimized for fault recovery operation. It is usually not accepted as a component of an SLA due to the timescale difference between SLA and Fault recovery. Hence, Connectivity Fault Management (CFM) and Continuity Check Database (CCDB) are used to verify connectivity. For more information on CFM see IEEE 802.1ag-2007 Compliant CFM.
Frame Delay and Frame Delay Variation
Ethernet frame Delay Measurement (ETH-DM) is used for on-demand ethernet Operations, Administration & Maintenance (OAM) to measure frame delay and frame delay variation.
Ethernet frame delay and frame delay variation are measured by sending periodic frames with ETH-DM information to the peer MEP and receiving frames with ETH-DM information from the peer MEP. During the interval, each MEP measures the frame delay and frame delay variation.
Ethernet frame delay measurement also collects useful information, such as worst and best case delays, average delay, and average delay variation. Ethernet frame delay measurement supports hardware-based timestamping in the ingress direction. It provides a runtime display of delay statistics during a two-way delay measurement. Ethernet frame delay measurement records the last 100 samples collected per remote Maintenance End Point (MEP) or per CFM session.
These are the two methods of delay measurement, as defined by the ITU-T Y.1731 standard:
•
Each MEP transmits frames with one-way ETH-DM information to its peer MEP in a point-to-point ME to facilitate one-way frame delay and/or one-way frame delay variation measurements at the peer MEP. One way frame delay requires clock to be synchronized at both ends while frame delay variation doesn't require clock synchronization. It is measured using a single delay measurement (1DM) or Delay Measurement Message (DMM) and Delay Measurement Reply (DMR) frame combination.•
Each MEP transmits frames with ETH-DM request information to its peer MEP and receives frames with ETH-DM reply information from its peer MEP. Two way frame delay and frame delay variation is measured using DMM and DMR frame.These are the pre-requisites for 1DM measurements:
–
–
–
Note
For a 7600 router that does not have 2-Port Gigabit Synchronous Ethernet SPA, delay measurement is done by using the timestamps with Network Time Protocol (NTP) as the time source protocol. This is applicable only to One-way delay measurements.
To initiate Time of Day (ToD) synchronization on a line card, use the platform time-source command in global configuration mode.Frame Loss Ratio and Availability
Ethernet frame Loss Measurement (ETH-LM) is used to collect counter values applicable for ingress and egress service frames where the counters maintain a count of transmitted and received data frames between a pair of MEPs.
ETH-LM transmits frames with ETH-LM information to a peer MEP and similarly receives frames with ETH-LM information from the peer MEP. Each MEP performs frame loss measurements which contribute to unavailable time. A near-end frame loss refers to frame loss associated with ingress data frames. Far-end frame loss refers to frame loss associated with egress data frames. Both near-end and far-end frame loss measurements contribute to near-end severely errored seconds and far end severely errored seconds which together contribute to unavailable time.
These are the two methods of frame loss measurement, defined by the ITU-T Y.1731 standard:
•
•
Supported Interfaces
Y.1731 PM supports these interfaces:
•
•
•
•
•
•
•
•
Note
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure Y.1731 PM on an ES+ line card:
•
•
•
•
•
•
–
–
–
–
•
•
•
•
These are the restrictions for PM support on Port-channel:
•
•
•
•
Note
The command [no] ethernet cfm distribution enable disables the CFM distribution functionality. This is necessary to avoid performance hits due to the distributing CFM functionality. This command is disabled by default.
Configuring One Way Delay Measurement
To configure one way delay measurement, complete these steps:
Note
Summary Steps
1.
2.
On the receiver:
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
On the sender:
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Detailed Steps
Configuration Example
This example displays the configuration of one way frame delay measurement. Before you begin, configure the receiver, schedule it to pending state, configure the sender and then start the session on it.
Router# enableRouter# configure terminalOn receiverRouter(config)#ip sla 1Router(config-ip-sla)# ethernet y1731 delay receive 1DM domain r3 evc e3 cos 3 mpid 401Router(config-sla-y1731-delay)#history interval 5Router(config-sla-y1731-delay)#aggregate interval 60Router(config)#exitRouter(config)#ip sla schedule 1 start-time pendingOn SenderRouter(config)# ip sla 1Router(config-ip-sla)# Router(config-ip-sla)# ethernet y1731 delay 1DM domain r3 evc e3 mpid 500 cos 3 source mpid 400Router(config-sla-y1731-delay)# history interval 5Router(config-sla-y1731-delay)# aggregate interval 60Router(config)#exitRouter(config)#ip sla schedule 1 start-time after 00:00:30Router# endConfiguring Two-Way Delay Measurement
To configure a Two-Way Delay Measurement, complete these steps:
Summary Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Detailed Steps
Configuration Example
The following example configures a two way frame delay measurement
Router# enableRouter# configure terminalRouter(config)# ip sla 1Router(config-ip-sla)# ethernet y1731 delay DMM domain ifm_400 evc e1 mpid 401 cos 4 source mpid 1Router(config-sla-y1731-delay)# history interval 5Router(config-sla-y1731-delay)# aggregate interval 60Router(config-sla-y1731-delay)#exitRouter(config)#ip sla schedule 1 start-time after 00:00:30Router(config)#exitConfiguring Single Ended Frame Loss Measurement
To configure single ended frame loss measurement, complete these steps:
Note
Summary Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Detailed Steps
Configuration Example
This example displays the configuration of single ended frame loss measurement:
Router# enableRouter# configure terminalRouter(config)# ip sla 1Router(config-ip-sla)# ethernet y1731 loss LMM domain r3 vlan 200 mpid 10 cos 3 source mpid 5Router(config-sla-y1731-loss)# frame interval 5Router(config-sla-y1731-loss)# aggregate interval 60Router(config-sla-y1731-loss)# exitRouter(config)# ip sla schedule 1 life forever start-time nowRouter(config)# exit
This example displays the configuration of the command monitor loss counter {priority value} under the EVC CFM sub-config mode:
interface GigabitEthernet3/5no ip addressservice instance 1 ethernet e3encapsulation dot1q 200bridge-domain 200cfm mep domain r3 mpid 5monitor loss counter priority 0-4!end
Note
Verifying the Frame Delay and Frame Loss Measurement Configurations
•
Router# show ip sla statistics nDelay Statistics for Operation nType of operation: Y1731 Delay MeasurementLatest operation start time: *21:37:08.895 PST Thu Aug 20 2009Latest operation return code:Distribution Statistics:Interval <n>Start time:Elapsed/End time:Number of measurements initiated: <x>Number of measurements completed: <x>Flag: OKDelay:Max/Avg/Min forward: x/y/z -> Min is only shown if clocks are in syncMax/Avg/Min backward: x/y/z -> Only for two-wayMax/Avg/Min: x/y/z -> Only for two-wayTimestamps forward: Max - 21:37:08.895 PST Thu Aug 20 2009/Min - 21:37:08.995 PST Thu Aug 20 2009Timestamps backward: Max - xxx/Min - yyyTimestamps: Max - xxx/Min - yyyBucket Forward:Bucket Range: 0-9 ms:Total observations: <x>Bucket Range: 10-19 ms:Total observations: <x>Bucket Range: 20-29 ms:Total observations: <x>Bucket Range: 30-39 ms:Total observations: <x>Delay VarianceMax/Avg/Min forward: x/y/z -> Min is only shown if clocks are in syncMax/Avg/Min backward: x/y/z -> Only for two-wayMax/Avg/Min: x/y/z -> Only for two-wayBucket Forward:Bucket Range: 0-9 ms:Total observations: <x>Bucket Range: 10-19 ms:Total observations: <x>Bucket Range: 20-29 ms:Total observations: <x>Bucket Range: 30-39 ms:Total observations: <x>Operation time to live: Forever•
Router# show ip sla statistics nDelay Statistics for Operation nType of operation: Y1731 Loss MeasurementLatest operation start time: *21:37:08.895 PST Thu Aug 20 2009Latest operation return code:Distribution Statistics:Interval <n>LossStart time:Elapsed/End time:Number of measurements initiated: <x>Number of measurements completed: <x>Flag: OKForwardTx frame count:Rx frame count:Available indicators:Unavailable indicators:Max/Avg/Min(FLR %): 3/2/1Max/Avg/Min (FLR Numerator:Denominator)forward: xNum:xDen/yNum:yDen/zNum:zDenTimestamps forward: Max - 21:37:08.895 PST Thu Aug 20 2009/Min - 21:37:08.995 PST Thu Aug 20 2009BackwardTx frame count:Rx frame count:Available indicators:Unavailable indicators:Max/Avg/Min(FLR %): 3/2/1Max/Avg/Min (FLR Numerator:Denominator)backward: xNum:xDen/yNum:yDen/zNum:zDenTimestamps forward: Max - 21:37:08.895 PST Thu Aug 20 2009/Min - 21:37:08.995 PST Thu Aug 20 2009Operation time to live: Forever•
Router# show ip sla statistics detailIPSLAs Latest Operation StatisticsIPSLA operation id: 3Delay Statistics for Y1731 Operation 3Type of operation: Y1731 Delay MeasurementLatest operation start time: *00:00:00.000 PST Mon Jan 1 1900Latest operation return code: OKDistribution Statistics:Interval 1Type: DelayStart time: *00:00:00.000 PST Mon Jan 1 1900Elapsed/End time: *00:00:00.000 PST Mon Jan 1 1900Number of measurements initiated: 0Number of measurements completed: 0Flag: OKDelay:Max/Avg/Min TwoWay: 140116936/140116944/140116952Timestamps TwoWay: Max - *00:00:00.000 PST Mon Jan 1 1900/Min - *00:00:00.000 PST Mon Jan 1 1900Bucket forward:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket backward:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket TwoWay:Bucket Range: 0-0 microsecondTotal observations: 0Bucket Range: 1-1 microsecondTotal observations: 0Bucket Range: 2-2 microsecondTotal observations: 0Bucket Range: 3-3 microsecondTotal observations: 0Bucket Range: 4--2 microsecondTotal observations: 0Delay Variance:Max/Avg backward positive: 140116936/140116944Timestamp backward positive: Max - *00:00:00.000 PST Mon Jan 1 1900Max/Avg backward negative: 140116936/140116944Timestamp backward negative: Max - *00:00:00.000 PST Mon Jan 1 1900Max/Avg TwoWay positive: 140116936/140116944Timestamp TwoWay positive: Max - *00:00:00.000 PST Mon Jan 1 1900Max/Avg TwoWay negative: 140116936/140116944Timestamp TwoWay negative: Max - *00:00:00.000 PST Mon Jan 1 1900Bucket forward positive:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket forward negative:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket backward positive:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket backward negative:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0Bucket TwoWay positive:Bucket Range: 0-4999 microsecondTotal observations: 0Bucket Range: 5000-9999 microsecondTotal observations: 0Bucket Range: 10000-14999 microsecondTotal observations: 0Bucket Range: 15000-19999 microsecondTotal observations: 0Bucket Range: 20000-24999 microsecondTotal observations: 0Bucket Range: 25000-29999 microsecondTotal observations: 0Bucket Range: 30000-34999 microsecondTotal observations: 0Bucket Range: 35000-39999 microsecondTotal observations: 0Bucket Range: 40000-44999 microsecondTotal observations: 0Bucket Range: 45000--2 microsecondTotal observations: 0•
Output for Loss Measurement:Router# show ip sla history 1 interval-statisticsLoss Statistics for Y1731 Operation 1Type of operation: Y1731 Loss MeasurementLatest operation start time: *09:46:16.225 UTC Fri Nov 26 2010Latest operation return code: OKDistribution Statistics:Interval 1Start time: *09:46:16.225 UTC Fri Nov 26 2010End time: *09:48:16.221 UTC Fri Nov 26 2010Number of measurements initiated: 12006Number of measurements completed: 12000Flag: OKForwardNumber of Observations 11999Timestamps forward:Max - *09:47:20.252 UTC Fri Nov 26 2010/ Min - *09:48:16.221 UTC Fri Nov 26 2010Tx frame count: 30000Rx frame count: 20000Available indicators: 11999Unavailable indicators: 0Max/Avg/Min - (FLR % ): 1:3/2.78%/0:0BackwardNumber of Observations 11999Timestamps backward:Max - *09:48:16.221 UTC Fri Nov 26 2010/ Min - *09:48:16.221 UTC Fri Nov 26 2010Tx frame count: 10000Rx frame count: 10000Available indicators: 11999Unavailable indicators: 0Max/Avg/Min - (FLR % ): 0:0/0.0%/0:0Output for Delay Measurement:Router#show ip sla history 10 interval-statisticsDelay Statistics for Y1731 Operation 10Type of operation: Y1731 Delay MeasurementLatest operation start time: 10:58:30.144 PDT Tue Jan 4 2011Latest operation return code: TimeoutDistribution Statistics:Interval 1Start time: 10:58:30.144 PDT Tue Jan 4 2011End time: 10:59:05.140 PDT Tue Jan 4 2011Number of measurements initiated: 33Number of measurements completed: 34Flag: OKDelay:Number of TwoWay observations: 34Max/Avg/Min TwoWay: 113364/100499/100099 (microsec)Time of occurrence TwoWay:Max - 10:59:05.140 PDT Tue Jan 4 2011Min - 10:58:40.076 PDT Tue Jan 4 2011Bin TwoWay:Bin Range (microsec) Total observations0 - < 5000 05000 - < 10000 010000 - < 15000 015000 - < 20000 020000 - < 25000 025000 - < 30000 030000 - < 35000 035000 - < 40000 040000 - < 45000 045000 - < 4294967295 34Delay Variance:Number of TwoWay positive observations: 19Max/Avg TwoWay positive: 13256/706 (microsec)Time of occurrence TwoWay positive:Max - 10:59:05.140 PDT Tue Jan 4 2011Number of TwoWay negative observations: 14Max/Avg TwoWay negative: 86/11 (microsec)Time of occurrence TwoWay negative:Max - 10:58:40.076 PDT Tue Jan 4 2011Bin TwoWay positive:Bin Range (microsec) Total observations0 - < 5000 185000 - < 10000 010000 - < 15000 115000 - < 20000 020000 - < 25000 025000 - < 30000 030000 - < 35000 035000 - < 40000 040000 - < 45000 045000 - < 4294967295 0Bin TwoWay negative:Bin Range (microsec) Total observations0 - < 5000 145000 - < 10000 010000 - < 15000 015000 - < 20000 020000 - < 25000 025000 - < 30000 030000 - < 35000 035000 - < 40000 040000 - < 45000 045000 - < 4294967295 0•
Router# show ethernet cfm pm session summaryNumber of Configured Session : 1Number of Active Session: 1Number of Inactive Session: 0Troubleshooting
These troubleshooting scenarios apply to the Y.1731 performance monitoring configurations:
IP and PPPoE Session Support
Intelligent Services Gateway (ISG) is a Cisco IOS software feature provides a structured framework for the edge devices to deliver flexible and scalable services to subscribers. ISG supports IP sessions for subscribers who connect to ISG from routed or Layer 2 access networks. From Cisco IOS Release 12.2(33)SRE onwards, the ISG: Subscriber Aware Ethernet feature provides Intelligent Services Gateway (ISG) functionality in distributed IP and PPPoE sessions on Cisco 7600 series routers that have Ethernet Services Plus (ES+) access-facing line cards.
IP sessions, representing a single IP address, collates the traffic received from a single IP source address, and classifies, identifies and provides services to subscribers. If the IP address is not unique, VRF or interface is used as unique identifiers. IP addressees can overlap only across VRF, and if two interfaces have the same VRF, they cannot have overlapping IP addresses. However, overlapping IP addresses are also supported for MAC based identification.
Note
IP sessions are hosted for the following connected subscriber devices:
•
•
This feature is supported on the following interfaces in a ES+ line card:
•
•
This feature supports the following sessions in a ES+ line card:
•
•
•
•
•
•
•
•
IP Address Assignment
•
•
•
IP interface: ISG is not involved in the assignment of subscriber IP addresses.
IP Subnet (IP Range) Sessions
A client subnet identifies a IP Subnet session and applies uniform edge processing to packets associated with a particular IP subnet. IP Subnet sessions are hosted for clients directly connected or over multiple hops. The following functionalities are not supported on IP Subnet Sessions, but are supported on IP Sessions:
•
•
•
IP Interface Sessions
In an IP Interface session, all the traffic received on a particular physical or logical interface is collated. However, dynamic VRF transfer is not supported in an IP interface session and, VRF transfer can only be used with static VRF configuration. Irrespective of the subscriber logged in, a session is created by default.
PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)
The 1:1 redundancy on a port channel coupled with Link Aggregation Control Protocol (LACP) dynamically handles the member links in a port channel bundle. A port channel has two members, of which one member is active and the other is in standby or redundant mode. The member ports can be across line cards, but must originate from Ethernet Services Plus (ES+) line card. At any given point of time, one link is on the physical mode.
The following sessions support 1:1 redundancy in a ES+ line card:
•
•
•
Note
PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer Ethertype
This feature enables you to implement PPPoE and IPoE session (ISG functions) on QinQ subinterfaces that are configured with custom ethertype. The custom ethertype implemented on the main interface is inherited by all the subinterfaces. To implement this feature, use dot1q tunnel ethertype command on main interface for the respective QinQ subinterfaces.
If the outer VLAN tag on a PPPoE or IPoE session packet matches the custom ethertype VLAN settings on the QinQ subinterface, the packets are accepted otherwise the packets are dropped. You can set the outer VLAN tag to the following values:
•
•
•
•
The PPPoE or IPoE session does not come up if there is ethertype mismatch between ISG and the client. For example, if the outer VLAN tag on a packet is set to 0x9100 and the interface is configured using custom ethertype to accept only packets with 0x88a8 VLAN tag, the packet will be dropped in the QinQ subinterface.
You can configure QinQ on both the access and non-access sub-interfaces. The following code shows how to define an interface with access sub-interface, create a VLAN QinQ subinterface, and enable PPPoE session:
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 1/0/0Router(config-if)# dot1q tunneling ethertype 0x9100Router(config-if)# interface gigabitethernet 1/0/0.100 accessRouter(config-subif)# encapsulation dot1q 100 second-dot1q 200Router(config-subif)# ip subscriber interfaceRestrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure an IP or a PPPoE sessions on an ES+ linecard:
•
•
•
•
•
•
•
•
Follow these restrictions and usage guidelines when you configure 1:1 redundancy on a ES+ linecard:
•
•
•
•
•
•
•
•
•
•
•
Verification
This section lists the commands to display configuration information.
•
Router-DJ4-dfc9#sh debugCWAN iEdge LC:CWAN iEdge LC session event debug debugging is onX40G XLIF Client:XLIF NP events debugging is onRouter-DJ4-dfc9# sh logSyslog logging: enabled (0 messages dropped, 4 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)No Active Message Discriminator.No Inactive Message Discriminator.Console logging: disabledMonitor logging: level debugging, 0 messages logged, xml disabled,filtering disabledBuffer logging: level debugging, 308 messages logged, xml disabled,filtering disabledException Logging: size (4096 bytes)Count and timestamp logging messages: disabledPersistent logging: disabledLog Buffer (1000000 bytes):Nov 19 16:08:48.247 IST: DFC9: provision_pppoe_routed_ac: switch_info 2CDEC4A4 seghandle 2CD93474 uid 40 if_number 80Nov 19 16:08:48.247 IST: DFC9: type 1 2 0opaque handle = 0x186DAB48Nov 19 16:08:48.247 IST: DFC9: inserting 186DAB48 105 40Nov 19 16:08:48.247 IST: DFC9: cwan_iedge_session_pending_timer startedNov 19 16:08:48.247 IST: DFC9: no dbus vlan session pending on int 105Nov 19 16:08:48.251 IST: DFC9: cwan_iedge_update_dbus_vlan: Session 40 gets hidden vlan 1020 through update for Virtual-Access2.1Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_common_session_notify: cfg_type 2 va_if_num 105 phy_if_num 80 uid 0action 0Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_get_session_config: sess_type 2 if_num 105 pid 0Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_get_pppoe_config: if_num 80 va_if_num 105 vlan 1020 sess-id 40 cond_debug offNov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_create Cfn[965F2BC] Creating Xlif: GigabitEthernet9/5 Xid[0] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_create_internal successfully created xlif: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_eg_xlif_update_port Cfn[92D1658] Xlif Update Port 4 : GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_tag_rewrite Cfn[965F334] Tag(i-0, o-2) Dir[2]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_dbus_vlan Cfn[965F36C] Updatng Dbus Vlan 1020: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_stats_id Cfn[965D780] Updatng StatId 599056 Dir[0]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_stats_id Cfn[965D8A8] Updatng StatId 599064 Dir[1]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_fwd_feat_enable Cfn[965F3BC] Xlif Fwd Feat 0x1 Enable 1 : GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_enable Cfn[965F3F0] Xlif Enable 1: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_feat_info Cfn[965F604] Xlif update feature Dir[0]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_feat_info Cfn[965F700] Xlif update feature Dir[1]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]Router-DJ4#sh debugPPP:PPP protocol negotiation debugging is onPPPoE:PPPoE protocol events debugging is onPPPoE control packets debugging is onRouter-DJ4#sh logSyslog logging: enabled (3340 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)No Active Message Discriminator.No Inactive Message Discriminator.Console logging: disabledMonitor logging: level debugging, 0 messages logged, xml disabled,filtering disabledBuffer logging: level debugging, 5280 messages logged, xml disabled,filtering disabledException Logging: size (4096 bytes)Count and timestamp logging messages: disabledPersistent logging: disabledNo active filter modules.Trap logging: level informational, 203 message lines loggedLog Buffer (1000000 bytes):Nov 19 16:08:48.231 IST: PPPoE 0: I PADI R:bb00.1912.0001 L:ffff.ffff.ffff 2 Gi9/5.1contiguous pak, size 60FF FF FF FF FF FF BB 00 19 12 00 01 81 00 00 0288 63 11 09 00 00 00 04 01 01 00 00 00 0A 03 06B6 00 00 01 00 00 00 01 00 00 00 00 00 00 00 0000 00 00 00 00 00 06 F8 00 00 9C 88Nov 19 16:08:48.231 IST: Service tag: NULL TagNov 19 16:08:48.231 IST: PPPoE 0: O PADO, R:a110.0050.0006 L:bb00.1912.0001 1019 Gi9/5.1Nov 19 16:08:48.231 IST: Service tag: NULL Tagcontiguous pak, size 10006 02 00 10 03 FB 28 00 03 80 00 00 44 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 02 04 00 00BB 00 19 12 00 01 A1 10 00 50 00 06 81 00 00 0288 63 11 07 00 00 00 24 01 01 00 00 01 02 00 0852 69 61 7A 2D 44 4A 34 ...Nov 19 16:08:48.231 IST: PPPoE 0: I PADR R:bb00.1912.0001 L:000c.31c9.7000 2 Gi9/5.1contiguous pak, size 6000 0C 31 C9 70 00 BB 00 19 12 00 01 81 00 00 0288 63 11 19 00 00 00 18 01 01 00 00 01 04 00 10E2 DB 75 8D E5 9C 95 C1 83 35 DC 91 B2 14 32 8963 63 65 73 73 2D 70 70 6C 63 70 30Nov 19 16:08:48.231 IST: Service tag: NULL TagNov 19 16:08:48.231 IST: PPPoE : encap string preparedNov 19 16:08:48.231 IST: [40]PPPoE 40: Access IE handle allocatedNov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get retrieved attrsNov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get nas port detailsNov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get dynamic attrsNov 19 16:08:48.231 IST: [40]PPPoE 40: AAA unique ID allocatedNov 19 16:08:48.231 IST: [40]PPPoE 40: No AAA accounting method listNov 19 16:08:48.231 IST: [40]PPPoE 40: Service request sent to SSSNov 19 16:08:48.231 IST: [40]PPPoE 40: Created, Service: None R:000c.31c9.7000 L:bb00.1912.0001 2 Gi9/5.1Nov 19 16:08:48.231 IST: [40]PPPoE 40: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYSNov 19 16:08:48.231 IST: PPP: Alloc Context [19C03860]Nov 19 16:08:48.231 IST: ppp40 PPP: Phase is ESTABLISHINGNov 19 16:08:48.231 IST: [40]PPPoE 40: data path set to PPPNov 19 16:08:48.231 IST: [40]PPPoE 40: Segment (SSS class): PROVISIONNov 19 16:08:48.231 IST: [40]PPPoE 40: State PROVISION_PPP Event SSM PROVISIONEDNov 19 16:08:48.231 IST: [40]PPPoE 40: O PADS R:bb00.1912.0001 L:000c.31c9.7000 1019 Gi9/5.1contiguous pak, size 10000 02 00 10 03 FB 28 00 03 80 00 00 44 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 02 04 00 00BB 00 19 12 00 01 A1 10 00 50 00 06 81 00 00 0288 63 11 65 00 28 00 18 01 01 00 00 01 04 00 10E2 DB 75 8D E5 9C 95 C1 ...Nov 19 16:08:48.231 IST: ppp40 PPP: Using vpn set call directionNov 19 16:08:48.231 IST: ppp40 PPP: Treating connection as a callinNov 19 16:08:48.231 IST: ppp40 PPP: Session handle[28] Session id[40]Nov 19 16:08:48.231 IST: ppp40 LCP: Event[OPEN] State[Initial to Starting]Nov 19 16:08:48.231 IST: ppp40 PPP LCP: Enter passive mode, state[Stopped]Nov 19 16:08:48.231 IST: ppp40 LCP: I CONFREQ [Stopped] id 0 len 14Nov 19 16:08:48.231 IST: ppp40 LCP: MagicNumber 0xA4E30BAF (0x0506A4E30BAF)Nov 19 16:08:48.231 IST: ppp40 LCP: MRU 1492 (0x010405D4)Nov 19 16:08:48.231 IST: ppp40 LCP: O CONFREQ [Stopped] id 1 len 19Nov 19 16:08:48.231 IST: ppp40 LCP: MRU 1492 (0x010405D4)Nov 19 16:08:48.231 IST: ppp40 LCP: AuthProto CHAP (0x0305C22305)Nov 19 16:08:48.235 IST: ppp40 LCP: MagicNumber 0x0F501712 (0x05060F501712)Nov 19 16:08:48.235 IST: ppp40 LCP: O CONFACK [Stopped] id 0 len 14Nov 19 16:08:48.235 IST: ppp40 LCP: MagicNumber 0xA4E30BAF (0x0506A4E30BAF)Nov 19 16:08:48.235 IST: ppp40 LCP: MRU 1492 (0x010405D4)Nov 19 16:08:48.235 IST: ppp40 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]Nov 19 16:08:48.235 IST: ppp40 LCP: I CONFACK [ACKsent] id 1 len 19Nov 19 16:08:48.235 IST: ppp40 LCP: MRU 1492 (0x010405D4)Nov 19 16:08:48.235 IST: ppp40 LCP: AuthProto CHAP (0x0305C22305)Nov 19 16:08:48.235 IST: ppp40 LCP: MagicNumber 0x0F501712 (0x05060F501712)Nov 19 16:08:48.235 IST: ppp40 LCP: Event[Receive ConfAck] State[ACKsent to Open]Nov 19 16:08:48.243 IST: ppp40 PPP: Phase is AUTHENTICATING, by this endNov 19 16:08:48.243 IST: ppp40 CHAP: O CHALLENGE id 1 len 29 from "Router-DJ4"Nov 19 16:08:48.243 IST: ppp40 LCP: State is OpenNov 19 16:08:48.243 IST: ppp40 CHAP: I RESPONSE id 1 len 29 from "PPP_USER"Nov 19 16:08:48.243 IST: ppp40 PPP: Phase is FORWARDING, Attempting ForwardNov 19 16:08:48.243 IST: ppp40 PPP: Phase is AUTHENTICATING, Unauthenticated UserNov 19 16:08:48.243 IST: ppp40 IPCP: Authorizing CPNov 19 16:08:48.243 IST: ppp40 IPCP: CP stalled on event[Authorize CP]Nov 19 16:08:48.243 IST: ppp40 IPCP: CP unstallNov 19 16:08:48.243 IST: ppp40 PPP: Phase is FORWARDING, Attempting ForwardNov 19 16:08:48.243 IST: [40]PPPoE 40: State LCP_NEGOTIATION Event SSS CONNECT LOCALNov 19 16:08:48.247 IST: [40]PPPoE 40: Segment (SSS class): UPDATEDNov 19 16:08:48.247 IST: [40]PPPoE 40: Segment (SSS class): BOUNDNov 19 16:08:48.247 IST: [40]PPPoE 40: data path set to Virtual AcessNov 19 16:08:48.247 IST: [40]PPPoE 40: State LCP_NEGOTIATION Event SSM UPDATEDNov 19 16:08:48.247 IST: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated UserNov 19 16:08:48.247 IST: Vi2.1 CHAP: O SUCCESS id 1 len 4Nov 19 16:08:48.247 IST: [40]PPPoE 40: AAA get dynamic attrsNov 19 16:08:48.247 IST: Vi2.1 PPP: Phase is UPNov 19 16:08:48.247 IST: Vi2.1 IPCP: Protocol configured, start CP. state[Initial]Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]Nov 19 16:08:48.247 IST: Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Address 100.0.0.1 (0x030664000001)Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]Nov 19 16:08:48.247 IST: Vi2.1 IPCP: I CONFREQ [REQsent] id 0 len 10Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)Nov 19 16:08:48.247 IST: Vi2.1 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0Nov 19 16:08:48.247 IST: Vi2.1 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 0.0.0.0Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Pool returned 182.0.0.1Nov 19 16:08:48.247 IST: Vi2.1 IPCP: O CONFNAK [REQsent] id 0 len 10Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Address 182.0.0.1 (0x0306B6000001)Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]Nov 19 16:08:48.247 IST: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Address 100.0.0.1 (0x030664000001)Nov 19 16:08:48.247 IST: Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]Nov 19 16:08:48.251 IST: [40]PPPoE 40: State PTA_BINDING Event STATIC BIND RESPONSENov 19 16:08:48.251 IST: [40]PPPoE 40: Connected PTANov 19 16:08:48.251 IST: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 1 len 10Nov 19 16:08:48.251 IST: Vi2.1 IPCP: Address 182.0.0.1 (0x0306B6000001)Nov 19 16:08:48.251 IST: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 1 len 10Nov 19 16:08:48.251 IST: Vi2.1 IPCP: Address 182.0.0.1 (0x0306B6000001)Nov 19 16:08:48.251 IST: Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[DOWN] State[Open to Starting]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[CLOSE] State[Starting to Initial]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: O CONFREQ [Starting] id 2 len 10Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Address 100.0.0.1 (0x030664000001)Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: I CONFREQ [REQsent] id 2 len 10Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Address 182.0.0.1 (0x0306B6000001)Nov 19 16:08:48.255 IST: Vi2.1 IPCP AUTHOR: Start. Her address 182.0.0.1, we want 182.0.0.1Nov 19 16:08:48.255 IST: Vi2.1 IPCP AUTHOR: Reject 182.0.0.1, using 182.0.0.1Nov 19 16:08:48.255 IST: Vi2.1 IPCP AUTHOR: Done. Her address 182.0.0.1, we want 182.0.0.1Nov 19 16:08:48.255 IST: Vi2.1 IPCP: O CONFACK [REQsent] id 2 len 10Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Address 182.0.0.1 (0x0306B6000001)Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]Nov 19 16:08:48.255 IST: Vi2.1 IPCP: I CONFACK [ACKsent] id 2 len 10Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Address 100.0.0.1 (0x030664000001)Nov 19 16:08:48.255 IST: Vi2.1 IPCP: Event[Receive ConfAck] State[ACKsent to Open]Nov 19 16:08:48.275 IST: Vi2.1 IPCP: State is Open (Indicates that the PPPoE session is up)Nov 19 16:08:48.275 IST: Vi2.1 Added to neighbor route AVL tree: topoid 0, address 182.0.0.1Nov 19 16:08:48.275 IST: Vi2.1 IPCP: Install route to 182.0.0.1Router-DJ4#interface GigabitEthernet9/17.1encapsulation dot1Q 2000ip address 180.0.0.1 255.255.255.0interface GigabitEthernet9/5.1encapsulation dot1Q 2ip address 192.0.0.1 255.255.255.0pppoe enable group dj4_bba_group1aaa new-modelaaa authentication login default group radius localaaa authentication ppp default localaaa authorization network default localaaa authorization subscriber-service default group radiusaaa session-id commonbba-group pppoe dj4_bba_group1virtual-template 1sessions per-vc limit 16000sessions per-mac limit 16000sessions per-vlan limit 8000interface Loopback1ip address 100.0.0.1 255.255.255.255interface Virtual-Template1ip unnumbered Loopback1no logging event link-statuspeer default ip address pool PPPPool_1no snmp trap link-statuskeepalive 300ppp authentication chap•
Router-DJ4#sh pppoe summaryPTA : Locally terminated sessionsFWDED: Forwarded sessionsTRANS: All other sessions (in transient state)TOTAL PTA FWDED TRANSTOTAL 1 1 0 0GigabitEthernet9/5 1 1 0 0Router-DJ4#sh pppoe sesRouter-DJ4#sh pppoe session1 session in LOCALLY_TERMINATED (PTA) State1 session totalUniq ID PPPoE RemMAC Port VT VA StateSID LocMAC VA-st Type42 42 bb00.1912.0001 Gi9/5.1 1 Vi2.1 PTA000c.31c9.7000 VLAN: 2 UPRouter-DJ4#sh sss session uid 42 detailedUnique Session ID: 42Identifier: PPP_USERSIP subscriber access type(s): PPPoE/PPPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:19:04, Last Changed: 00:19:04Interface: Virtual-Access2.1Policy information:Context 137426FC: Handle 2400002AAAA_id 00000038: Flow_handle 0Authentication status: authenDownloaded User profile, excluding services:Framed-Protocol 1 [PPP]username "PPP_USER"Downloaded User profile, including services:Framed-Protocol 1 [PPP]username "PPP_USER"Config history for session (recent to oldest):Access-type: PPP Client: SMPolicy event: Process Config ConnectingProfile name: apply-config-only, 2 referencesFramed-Protocol 1 [PPP]username "PPP_USER"Rules, actions and conditions executed:subscriber rule-map PPPoE-SUBcondition always event session-start1 service localConfiguration sources associated with this session:Interface: Virtual-Template1, Active Time = 00:19:04Router-DJ4# sh pppoe session packetsTotal PPPoE sessions 1SID Pkts-In Pkts-Out Bytes-In Bytes-Out42 12 13 184 190Router-DJ4#Router-DJ4#sh cef int gig 9/5.1GigabitEthernet9/5.1 is up (if_number 80)Corresponding hwidb fast_if_number 80Corresponding hwidb firstsw->if_number 25Internet address is 192.0.0.1/24ICMP redirects are always sentIP unicast RPF check is disabledOutput features: MFIB Adjacency, HW Shortcut InstallationIP policy routing is disabledBGP based policy accounting on input is disabledBGP based policy accounting on output is disabledHardware idb is GigabitEthernet9/5Fast switching type 28, interface type 146IP CEF switching enabledIP CEF switching turbo vectorIP Null turbo vectorIP prefix lookup IPv4 mtrie genericInput fast flags 0x40000000, Output fast flags 0x0ifindex 24(24)Slot 9/0 (9) Slot unit 5 VC -1IP MTU 1500•
aaa new-model!aaa session-id common!interface GigabitEthernet2/9no ip addressload-interval 30!interface GigabitEthernet2/9.1 accessencapsulation dot1Q 2 second-dot1q 2ip address 182.0.0.1 255.255.255.0ip subscriber routedinitiator unclassified ip-address!interface GigabitEthernet2/10no ip addressload-interval 30!interface GigabitEthernet2/10.1encapsulation dot1Q 2000 second-dot1q 2001ip address 180.0.0.1 255.255.255.0!no ip http serverno ip http secure-server!arp 182.0.0.2 aa00.0000.0001 ARPAarp 180.0.0.2 0000.0000.0001 ARPA!•
ISG_NMB#sh debCWAN iEdge RP:CWAN iEdge RP debug debugging is onIP Subscriber:all IP subscriber debugs debugging is onISG_NMB#Nov 19 16:02:46.087 IST: IPSUB_DP: [Gi2/9.1:I:CEF:DFL:21.0.0.1] Packet triggers session initiationNov 19 16:02:46.087 IST: IPSUB_DP: [Gi2/9.1:I:CEF:DFL:21.0.0.1] Packet classified, results = 0x1Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Insert new entry for mac 0000.1500.0001Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Processing new in-band session requestNov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Delete mac entry 0000.1500.0001Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] In-band session request event for sessionNov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Added upstream entry into the classifierNov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] VRF = DFL, IP = 21.0.0.1, MASK = 255.255.255.255Nov 19 16:02:46.087 IST: IPSUB: Try to create a new sessionNov 19 16:02:46.087 IST: IPSUB: IPSUB: Check IP DHCP session recovery: 21.0.0.1 Gi2/9.1 mac aa00.0000.0001Nov 19 16:02:46.087 IST: IPSUB: IPSUB: No DHCP binding foundNov 19 16:02:46.087 IST: IPSUB: [uid:0] IPSUB: Proceed to create the IP inband sessionNov 19 16:02:46.087 IST: IPSUB: [uid:0] Request to create a new sessionNov 19 16:02:46.087 IST: IPSUB: [uid:0] Session start event for sessionNov 19 16:02:46.087 IST: IPSUB: [uid:0] Event session start, state changed from idle to requestingNov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Session init-notification on ActiveNov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Allocated SHDB handle (0xF1000020)Nov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Successfully initialized for HANov 19 16:02:46.087 IST: IPSUB: [uid:32] AAA unique ID allocatedNov 19 16:02:46.087 IST: IPSUB: [uid:32] Added session 21.0.0.1 to L3 session tableNov 19 16:02:46.087 IST: IPSUB: [uid:32] Added session to session table with access session keysNov 19 16:02:46.087 IST: IPSUB: [uid:32] IP session(0x63000020) to be associated to Gi2/9.1Nov 19 16:02:46.087 IST: IPSUB: [uid:32] Inserted IP session(0x63000020) to sessions-per-interface db with interface Gi2/9.1Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Sent message to control plane for in-band session creationNov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Event inband-session, state changed from idle to intiatedNov 19 16:02:46.091 IST: IPSUB: [uid:32] Recieved Message = connect localNov 19 16:02:46.091 IST: IPSUB: [uid:32] Connect Local event for sessionNov 19 16:02:46.091 IST: IPSUB: [uid:32] Event connect local, state changed from requesting to waitingNov 19 16:02:46.091 IST: IPSUB: [uid:32] Inside processing IPSIP infoNov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Checking whether routes to be inserted/removedNov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Context not present, creating contextNov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Entered the sg subrte context allocNov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Returning the sg subrte context 0x1348DD20Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Added Fib Prefix [DFL]: 21.0.0.1/255.255.255.255Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Both IP addresses and VRF are same, no need to add routeNov 19 16:02:46.091 IST: IPSUB: [uid:32] Keys not changed, seg needn't be updatedNov 19 16:02:46.091 IST: IPSUB: [uid:32] Key list to be created to update SMNov 19 16:02:46.091 IST: IPSUB: [uid:32] Created key list to update SMNov 19 16:02:46.091 IST: IPSUB: [uid:32] Session Keys Available event for sessionNov 19 16:02:46.091 IST: IPSUB: [uid:32] Event session keys available, state changed from waiting to provisioningNov 19 16:02:46.091 IST: IPSUB: [uid:32] Access and service keys same, no need to add session with service keysNov 19 16:02:46.091 IST: IPSUB: [uid:32] Data plane prov successful event for sessionNov 19 16:02:46.091 IST: IPSUB: [uid:32] Event dataplane prov successful, state changed from provisioning to connectedNov 19 16:02:46.091 IST: IPSUB: HA[uid:32]: Session up notificationNov 19 16:02:46.091 IST: IPSUB: HA[uid:32]: Session ready to sync data (0xF1000020)Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:0] Setup event for session (session hdl 3858759691)Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Added downstream entry into the classifierNov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] VRF = DFL, IP = 21.0.0.1, MASK = 255.255.255.255Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Session setup successfulNov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Event setup-session, state changed from intiated to establishedNov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Activate event for sessionNov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Event activate-session, state changed from established to connected•
ISG_NMB#sh ip subDisplaying subscribers in the default service vrf:Type Subscriber Identifier Display UID Status--------- ---------------------- ------------ ------routed 21.0.0.1/32 [32] upISG_NMB#ISG_NMB#sh sss sessCurrent Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time32 IP unauthen Local Term 21.0.0.1 00:02:40ISG_NMB#sh sss sess uid 32Unique Session ID: 32Identifier: 21.0.0.1SIP subscriber access type(s): IPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:02:46, Last Changed: 00:02:46Policy information:Authentication status: unauthenConfiguration sources associated with this session:Interface: GigabitEthernet2/9.1, Active Time = 00:02:46ISG_NMB#sh sss sess uid 32 deISG_NMB#sh sss sess uid 32 detailedUnique Session ID: 32Identifier: 21.0.0.1SIP subscriber access type(s): IPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:02:49, Last Changed: 00:02:49Policy information:Context 133B22FC: Handle DF000020AAA_id 00000030: Flow_handle 0Authentication status: unauthenConfiguration sources associated with this session:Interface: GigabitEthernet2/9.1, Active Time = 00:02:49Following details is for a L2-connected DHCP session on Dot1Q interface:-========================================================================•
aaa new-model!!aaa session-id common!!!clock timezone IST 5ip source-route!!ip dhcp excluded-address 182.0.0.11 182.0.0.15no ip dhcp ping packets!ip dhcp pool pool_global1network 182.0.0.0 255.255.255.240lease 0 0 3update arp!!!interface Loopback10ip address 182.0.0.11 255.255.255.255!!interface GigabitEthernet2/9no ip addressload-interval 30!interface GigabitEthernet2/9.1 accessencapsulation dot1Q 2ip unnumbered Loopback10ip subscriber l2-connectedinitiator dhcp class-aware!interface GigabitEthernet2/10no ip addressload-interval 30!interface GigabitEthernet2/10.1encapsulation dot1Q 2000ip address 180.0.0.1 255.255.255.0!!no ip http serverno ip http secure-serverip route 7.0.0.0 255.0.0.0 7.38.0.1ip route 202.153.0.0 255.255.0.0 7.38.0.1!!•
ISG_NMB#sh debDHCP server packet debugging is on.DHCP server event debugging is on.IP Subscriber:IP subscriber events debugging is onIP subscriber errors debugging is onIP subscriber packets debugging is onISG_NMB#Nov 19 15:40:33.595 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Packet classified, results = 0x40Nov 19 15:40:33.595 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Rx driver allowing IP routingNov 19 15:40:33.595 IST: DHCPD: Reload workspace interface GigabitEthernet2/9.1 tableid 0.Nov 19 15:40:33.595 IST: DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0Nov 19 15:40:33.595 IST: DHCPD: client's VPN is .Nov 19 15:40:33.595 IST: DHCPD: Sending notification of DISCOVER:Nov 19 15:40:33.595 IST: DHCPD: htype 1 chaddr aa00.1314.0001Nov 19 15:40:33.595 IST: DHCPD: remote id 020a0000b600000b21010002Nov 19 15:40:33.595 IST: DHCPD: interface = GigabitEthernet2/9.1Nov 19 15:40:33.595 IST: DHCPD: class id 49786961Nov 19 15:40:33.595 IST: IPSUB: Create session keys from SSS key listNov 19 15:40:33.595 IST: IPSUB: Mac_addr = aa00.1314.0001, Recvd Macaddr = aa00.1314.0001Nov 19 15:40:33.599 IST: IPSUB: Session input interface(0x13348754) = GigabitEthernet2/9.1Nov 19 15:40:33.599 IST: IPSUB: SHDB Handle = 5A00000BNov 19 15:40:33.599 IST: IPSUB: Remote_id = 020a0000b600000b21010002Nov 19 15:40:33.599 IST: IPSUB: Vendor_Class_id = IxiaNov 19 15:40:33.599 IST: DHCPD: DHCPDISCOVER received from client 01aa.0013.1400.01 on interface GigabitEthernet2/9.1.Nov 19 15:40:33.599 IST: DHCPD: Sending notification of DISCOVER:Nov 19 15:40:33.599 IST: DHCPD: htype 1 chaddr aa00.1314.0001Nov 19 15:40:33.599 IST: DHCPD: remote id 020a0000b600000b21010002Nov 19 15:40:33.599 IST: DHCPD: interface = GigabitEthernet2/9.1Nov 19 15:40:33.599 IST: DHCPD: class id 49786961Nov 19 15:40:33.599 IST: DHCPD: Saving workspace (ID=0x8900000B)Nov 19 15:40:33.599 IST: DHCPD: New packet workspace 0x1333D0D8 (ID=0x2700000C)Nov 19 15:40:33.599 IST: IPSUB: Try to create a new sessionNov 19 15:40:33.599 IST: IPSUB: [uid:0] Request to create a new sessionNov 19 15:40:33.599 IST: IPSUB: [uid:0] Session start event for sessionNov 19 15:40:33.599 IST: IPSUB: [uid:11] AAA unique ID allocatedNov 19 15:40:33.599 IST: IPSUB: [uid:11] Added session aa00.1314.0001 to L2 session tableNov 19 15:40:33.599 IST: IPSUB: [uid:11] Added session to session table with access session keysNov 19 15:40:33.599 IST: IPSUB: [uid:11] IP session(0xC500000B) to be associated to Gi2/9.1Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Inserted IP session(0xC500000B) to sessions-per-interface db with interface Gi2/9.1Nov 19 15:40:33.599 IST: DHCPD: Callback for workspace (ID=0x8900000B)Nov 19 15:40:33.599 IST: DHCPD: No authentication required. ContinueNov 19 15:40:33.599 IST: DHCPD: Callback: class '' now specified for client 01aa.0013.1400.01Nov 19 15:40:33.599 IST: DHCPD: Reprocessing saved workspace (ID=0x8900000B)Nov 19 15:40:33.599 IST: DHCPD: Reload workspace interface GigabitEthernet2/9.1 tableid 0.Nov 19 15:40:33.599 IST: DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0Nov 19 15:40:33.599 IST: DHCPD: client's VPN is .Nov 19 15:40:33.599 IST: DHCPD: Sending notification of DISCOVER:Nov 19 15:40:33.599 IST: DHCPD: htype 1 chaddr aa00.1314.0001Nov 19 15:40:33.599 IST: DHCPD: remote id 020a0000b600000b21010002Nov 19 15:40:33.599 IST: DHCPD: interface = GigabitEthernet2/9.1Nov 19 15:40:33.599 IST: DHCPD: class id 49786961Nov 19 15:40:33.599 IST: DHCPD: DHCPDISCOVER received from client 01aa.0013.1400.01 on interface GigabitEthernet2/9.1.Nov 19 15:40:33.599 IST: DHCPD: Adding binding to radix tree (182.0.0.1)Nov 19 15:40:33.599 IST: DHCPD: Adding binding to hash treeNov 19 15:40:33.599 IST: DHCPD: assigned IP address 182.0.0.1 to client 01aa.0013.1400.01. (13 1)Nov 19 15:40:33.599 IST: DHCPD: DHCPOFFER notify setup address 182.0.0.1 mask 255.255.255.240Nov 19 15:40:33.599 IST: IPSUB: [uid:11] IP session context 0x133D28C8 available to authorizeNov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Entered allocate feature infoNov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Allocated sg vrfset info 0x13488EE0Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Freeing the sg vrfset info 0x13488EE0Nov 19 15:40:33.599 IST: IPSUB: [uid:11] IPSIP Parsing HostIP: 182.0.0.1 SubnetMask= 255.255.255.255Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Recieved Message = connect localNov 19 15:40:33.599 IST: IPSUB: [uid:11] Connect Local event for sessionNov 19 15:40:33.599 IST: IPSUB: [uid:11] Inside processing IPSIP infoNov 19 15:40:33.599 IST: IPSUB: [uid:11] Processing IPSIP info: 0x1330208C (APPLY)Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Got IP address- IP:-182.0.0.1Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Set IP address- IP:-182.0.0.1Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Applying SG VRFSET infoNov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] DHCP Initiated session, no config, ignoreNov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Checking whether routes to be inserted/removedNov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Context not present, creating contextNov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Entered the sg subrte context allocNov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Returning the sg subrte context 0x1348DD04Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Installed ARP entry [DFL]: 182.0.0.1Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Added Fib Prefix [DFL]: 182.0.0.1/255.255.255.255Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Route insert not required for DHCP hosts with IP unnumbered config on: GigabitEthernet2/9.1Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Both IP addresses and VRF are same, no need to add routeNov 19 15:40:33.599 IST: IPSUB: [uid:11] Found that seg to be updated with new session keysNov 19 15:40:33.599 IST: IPSUB: [uid:11] Key list to be created to update SMNov 19 15:40:33.599 IST: IPSUB: [uid:11] Update IP-Address-VRF key: 182.0.0.1:0Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Created key list to update SMNov 19 15:40:33.599 IST: IPSUB: [uid:11] Found address change to be notifiedNov 19 15:40:33.599 IST: IPSUB: [uid:11] Session Keys Available event for sessionNov 19 15:40:33.603 IST: IPSUB: [uid:11] Added session 182.0.0.1 to L3 session tableNov 19 15:40:33.603 IST: IPSUB: [uid:11] Added session to session table with service session keysNov 19 15:40:33.603 IST: IPSUB: [uid:11] Recieved Message = update SIP configNov 19 15:40:33.603 IST: IPSUB: [uid:11] Config Update event for sessionNov 19 15:40:33.603 IST: IPSUB: [uid:11] Inside processing IPSIP infoNov 19 15:40:33.603 IST: IPSUB-ROUTE: [uid:11] Checking whether routes to be inserted/removedNov 19 15:40:33.603 IST: IPSUB-ROUTE: [uid:11] Ctx present, No config change, Nothing to be doneNov 19 15:40:33.603 IST: IPSUB-ROUTE: [uid:11] Both IP addresses and VRF are same, no need to add routeNov 19 15:40:33.603 IST: IPSUB: [uid:11] Keys not changed, seg needn't be updatedNov 19 15:40:33.603 IST: IPSUB: [uid:11] Key list to be created to update SMNov 19 15:40:33.603 IST: IPSUB: [uid:11] Created key list to update SMNov 19 15:40:33.603 IST: IPSUB: [uid:11] Data plane prov successful event for sessionNov 19 15:40:33.603 IST: IPSUB: [uid:11] Notifying about address change: 182.0.0.1Nov 19 15:40:33.603 IST: DHCPD: Callback for workspace (ID=0x8900000B)Nov 19 15:40:33.603 IST: DHCPD: Callback: switching path now setup for client 01aa.0013.1400.01Nov 19 15:40:33.603 IST: DHCPD: Reprocessing saved workspace (ID=0x8900000B)Nov 19 15:40:33.603 IST: DHCPD: Sending notification of DISCOVER:Nov 19 15:40:33.603 IST: DHCPD: htype 1 chaddr aa00.1314.0001Nov 19 15:40:33.603 IST: DHCPD: remote id 020a0000b600000b21010002Nov 19 15:40:33.603 IST: DHCPD: interface = GigabitEthernet2/9.1Nov 19 15:40:33.603 IST: DHCPD: class id 49786961Nov 19 15:40:33.603 IST: DHCPD: DHCPDISCOVER received from client 01aa.0013.1400.01 on interface GigabitEthernet2/9.1.Nov 19 15:40:33.603 IST: DHCPD: Found previous server bindingNov 19 15:40:33.603 IST: DHCPD: Sending DHCPOFFER to client 01aa.0013.1400.01 (182.0.0.1).Nov 19 15:40:33.603 IST: DHCPD: ARP entry exists (182.0.0.1, aa00.1314.0001).Nov 19 15:40:33.603 IST: DHCPD: unicasting BOOTREPLY to client aa00.1314.0001 (182.0.0.1).Nov 19 15:40:33.603 IST: DHCPD: unicast BOOTREPLY output i/f override GigabitEthernet2/9.1Nov 19 15:40:33.603 IST: IPSUB_DP: [Gi2/9.1:O:PROC:DFL:182.0.0.1] Packet classified, results = 0x0Nov 19 15:40:33.603 IST: DHCPD: removing ARP entry (182.0.0.1 vrf default).Nov 19 15:40:33.603 IST: DHCPD: Freeing saved workspace (ID=0x8900000B)Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Setup event for session (session hdl 0)Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Insert new entry for mac aa00.1314.0001Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Added upstream entry into the classifierNov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] MAC = aa00.1314.0001Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Added downstream entry into the classifierNov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] VRF = DFL, IP = 182.0.0.1, MASK = 255.255.255.255Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Session setup successfulNov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Sent update msg to the control planeNov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Activate event for sessionNov 19 15:40:33.603 IST: IPSUB: [uid:11] Data plane prov successful event for sessionNov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Found mac entry aa00.1314.0001Nov 19 15:40:33.603 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Packet classified, results = 0x40Nov 19 15:40:33.603 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Rx driver allowing IP routingNov 19 15:40:33.603 IST: DHCPD: input i/f override GigabitEthernet2/9.1 for clientNov 19 15:40:33.603 IST: DHCPD: Reload workspace interface GigabitEthernet2/9.1 tableid 0.Nov 19 15:40:33.603 IST: DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0Nov 19 15:40:33.603 IST: DHCPD: client's VPN is .Nov 19 15:40:33.603 IST: DHCPD: DHCPREQUEST received from client 01aa.0013.1400.01.Nov 19 15:40:33.603 IST: DHCPD: Sending notification of ASSIGNMENT:Nov 19 15:40:33.603 IST: DHCPD: address 182.0.0.1 mask 255.255.255.240Nov 19 15:40:33.603 IST: DHCPD: htype 1 chaddr aa00.1314.0001Nov 19 15:40:33.603 IST: DHCPD: lease time remaining (secs) = 180Nov 19 15:40:33.603 IST: DHCPD: interface = GigabitEthernet2/9.1Nov 19 15:40:33.603 IST: DHCPD: Sending DHCPACK to client 01aa.0013.1400.01 (182.0.0.1).Nov 19 15:40:33.603 IST: DHCPD: lease time = 180Nov 19 15:40:33.603 IST: DHCPD: dhcpd_lookup_route: host = 182.0.0.1Nov 19 15:40:33.603 IST: DHCPD: dhcpd_lookup_route: index = 183Nov 19 15:40:33.603 IST: DHCPD: dhcpd_create_and_hash_route: host = 182.0.0.1Nov 19 15:40:33.603 IST: DHCPD: dhcpd_create_and_hash_route index = 183Nov 19 15:40:33.603 IST: DHCPD: dhcpd_add_route: lease = 180Nov 19 15:40:33.607 IST: DHCPD: ARP entry exists (182.0.0.1, aa00.1314.0001).Nov 19 15:40:33.607 IST: DHCPD: Changing arp entry 182.0.0.1 to secure arp entryNov 19 15:40:33.607 IST: DHCPD: Failed to secure arp entry 182.0.0.1Nov 19 15:40:33.607 IST: DHCPD: unicasting BOOTREPLY to client aa00.1314.0001 (182.0.0.1).Nov 19 15:40:33.607 IST: DHCPD: unicast BOOTREPLY output i/f override GigabitEthernet2/9.1Nov 19 15:40:33.607 IST: IPSUB_DP: [Gi2/9.1:O:PROC:DFL:182.0.0.1] Packet classified, results = 0x10•
ISG_NMB#sh ip dhcp bindingBindings from all pools not associated with VRF:IP address Client-ID/ Lease expiration TypeHardware address/User name182.0.0.1 01aa.0013.1400.01 Nov 19 2009 03:45 PM AutomaticISG_NMB#sh sss sessionCurrent Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time11 IP unauthen Local Term aa00.1314.0001 00:00:58ISG_NMB#sh sss session uid 11Unique Session ID: 11Identifier: aa00.1314.0001SIP subscriber access type(s): IPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:01:04, Last Changed: 00:01:04Policy information:Authentication status: unauthenConfiguration sources associated with this session:Interface: GigabitEthernet2/9.1, Active Time = 00:01:04ISG_NMB#sh sss session uid 11 deUnique Session ID: 11Identifier: aa00.1314.0001SIP subscriber access type(s): IPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:01:07, Last Changed: 00:01:07Policy information:Context 133B2154: Handle 9000000BAAA_id 00000017: Flow_handle 0Authentication status: unauthenConfiguration sources associated with this session:Interface: GigabitEthernet2/9.1, Active Time = 00:01:07Troubleshooting
The following troubleshooting scenarios are applicable to the broadband technology area:
Per Subscriber Session Call Admission Control (CAC)
In broadband networks, ISG might receive a large number of incoming requests during peak hours. Each session that attempts to establish a connection on the ISG consumes a considerable amount of CPU and memory resources of the ISG. External resources, such as a remote authentication dial in user service (RADIUS) might not be able to handle all the requests that ISG generates. Accepting too many calls might make the router inefficient in its operation, overloading its own CPU, and also RADIUS. Per subscriber session CAC is a function that protects the router and external peripherals from getting overloaded by limiting the number of incoming calls based on CPU and session charges that a router can establish.
The route processor (RP) in the ISG checks CPU utilization and session charges to determine if a call should be accepted or rejected as follows:
•
•
Restrictions and Guidelines
The restrictions and guidelines for per subscriber session CAC is given as follows:
•
•
Implementing CAC
The CAC implementation impacts two queues - the First Sign of Life (FSOL) queue and the FSOL control queue. The default values for the FSOL queue and FSOL control queue are given in Table 4-43.
Whenever the CAC starts, the configured queue values for the actual FSOL and FSOL control queues are saved and the default values in Table 4-43 are installed on the line card. Whenever the CAC is stopped, the configured values (the values that are saved when the CAC is started) are restored. You can use the hw-module slot slot_num rate-limit fsol_rate rate command to configure the queue values. If you execute the command and configure the queue values while CAC is on, the new values overwrite the existing queue values that are saved and when the CAC is stopped, the new values are installed.
The CAC is implemented at the queue level even though the configuration accepts rate limit. The configuration changes are applied on a per network processor (NP) basis.
Table 4-43 Default Values for the FSOL Queues
Actual FSOL
100
40000
Off
FSOL control
900
360000
Off
Actual FSOL
100
4000
On
FSOL control
900
36000
On
Configuring Per Subscriber Session CAC
To configure per subscriber session CAC, perform these steps:
Summary Steps
1.
2.
3.
4.
or
5.
6.
7.
Detailed Steps
Configuration Example
The following example configures a charge of 10 per session and a call admission limit of 50, which allows calls at a rate of 5 calls per second:
Router# enableRouter# configure terminalRouter(config)# call admission new-modelRouter(config)# call admission limit 50Router(config)# call admission pppoe 10 1Router# endVerifying and Monitoring Per Subscriber Session CAC
To verify and monitor per subscriber session CAC, use either of these commands in privileged EXEC mode:
Configuring Private Host on Pseudoport on CWAN Cards
The Private Hosts feature allows automatic insertion of router Switched Virtual Interface (SVI) MAC into the Private Hosts configuration. Private Hosts track the Layer 2 port that a server is connected to and limits undesired traffic through the MAC-layer ACLs. Hosts can carry multiple traffic types through the trunk port, remain isolated from each other, and still communicate to a common server. For more information on this feature and on Private Hosts, see Cisco 7600 Series Cisco IOS Software Configuration Guide, 15.0SR at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/pacl.html
Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs
UDLD (Unidirectional Link Detection) is a Layer 2 protocol that interacts with a Layer 1 protocol to determine the physical status of a link. At Layer 1, physical signaling and fault detection is auto-negotiated. UDLD detects the neighbor link, identifies, and disables the wrongly connected LAN ports. When you enable auto-negotiation and UDLD, Layer 1 and Layer 2 detections prevent physical and logical unidirectional connections, and malfunctioning of other protocols.
A unidirectional link occurs when the neighbor link receives the traffic transmitted by the local device, but the local device does not receive the transmitted traffic from its neighbor. If auto-negotiation is active, and one of the fiber strands in a pair is disconnected, the link is disabled. The logical link is undetermined, and UDLD does not take any action. At Layer 1, if both fibers are normal, UDLD at Layer 2 determines if the fibers are accurately connected, and traffic is relayed bidirectionally between the right neighbors. In this scenario, auto-negotiation operates in Layer 1, and the link status is unchecked.
The UDLD protocol monitors physical configuration of the cables, and detects unidirectional links of devices connected to LAN ports via Ethernet cables. When a unidirectional link is detected, UDLD disables the affected LAN port, and alerts the user.
The Cisco 7600 series router periodically transmits UDLD packets to neighboring devices on LAN ports with UDLD. If the packets are returned within a specific time frame, and there is no acknowledgement, the link is flagged as unidirectional, and the LAN port is disabled.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring UDLD on ports with EVCs:
•
•
•
•
•
Note
For more information on UDLD, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SR at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/udld.html
Configuring UDLD Aggressive Mode
As UDLD aggressive mode is disabled by default, you can configure UDLD aggressive mode in point-to-point links between network devices that support UDLD aggressive mode.
When UDLD aggressive mode is enabled:
•
•
•
To prevent spanning tree loops, ensure that you set the non aggressive UDLD value interval to 15 seconds. This disables the unidirectional link before blocking the port transitions in the forwarding state (with default spanning tree parameters).
The benefits of enabling UDLD aggressive mode are:
•
•
In the above scenario, UDLD aggressive mode disables the port that prevents traffic from being discarded.
Enabling UDLD on Ports With EVC Configured
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Disabling Individual UDLD on Ports With EVC Configured
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Resetting Disabled UDLD on Ports With EVC Configured
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
udld reset
Example:Router# udld resetResets all the LAN ports disabled by UDLD.
Example
This example displays the global configuration values at router 1:
Router(config)#udld enableThis example displays the ESM20 port at router 1:
Router(config)# inter gi 2/0/1Router(config-if)# udld port aggressiveRouter(config-if)# service instance 1 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# rewrite ingess tag translate 1-to2 dot1q 5 second-dot1q 5 symmetricRouter(config-if-srv)# bridge-domain 100This example displays the configuration for a port that is part of a port channel:Router(config)#interface Port-channel1Router(config-if)#no ip addressRouter(config-if)#service instance 1 ethernetRouter(config-if)#encapsulation untaggedRouter(config-if)#bridge-domain 100Router(config)#interface GigabitEthernet3/0/13Router(config-if)#ip arp inspection limit noneRouter(config-if)#no ip addressRouter(config-if)#udld port aggressiveRouter(config-if)#no mls qos trustRouter(config-if)#channel-group 1 mode onVerification
Use the show udld and show udld interface commands to verify the UDLD configuration:
Router(config)show udld gi 3/0/13Interface Gi1/3---Port enable administrative configuration setting: Enabled / in aggressive modePort enable operational state: Enabled / in aggressive modeCurrent bidirectional state: BidirectionalCurrent operational state: Advertisement - Single neighbor detectedMessage interval: 15Time out interval: 5Entry 1---Expiration time: 37Cache Device index: 1Current neighbor state: BidirectionalDevice ID: 011932118C0Port ID: Gi1/1Neighbor echo 1 device: 0FF71CA880Neighbor echo 1 port: Gi1/3Message interval: 15Time out interval: 5CDP Device name: rish2Dynamic Ethernet Service Activation
Dynamic Ethernet Service Activation (DESA) is an integration of Ethernet Virtual Connection (EVC) and Intelligent Service Gateway (ISG) to automate the provisioning of Layer 2 services in carrier ethernet networks. Effective from Cisco IOS release 15.1(2)S, ethernet accounting and dynamic Layer 2 session provisioning functions of the DESA are supported.
Ethernet accounting exposes the ethernet traffic to billing systems through accounting interfaces and policies. Using ethernet accounting, service providers can track the usage of the services, create usage based or prepaid service profiles, and provide a traceable accountability for SLA enforcement.
Dynamic Layer 2 provisioning reduces the operating expenses for service providers by easing the provisioning process and also allows them to play an active role in defining their services. Dynamic Layer 2 provisioning exposes the creation of Layer 2 services to the Authentication Authorization and Accounting (AAA) subsystem to enable centralized service policy initiation and customizes service profiles. After receiving the First Sign of Life (FSOL) frames, the creation and provisioning of Layer 2 customer interfaces is automated after proper authentication and authorization.
Restrictions and Usage Guidelines
Follow these restrictions and guidelines for configuring DESA:
•
•
•
Note
Configuring Dynamic Ethernet Service Activation Support on C7600
The configuration steps for DESA vary depending on whether you are creating a dynamic ethernet session or static ethernet session.
Configuring DESA for a Dynamic Ethernet Session
Complete these steps to configure DESA for a dynamic ethernet session.
Summary Steps
1.
2.
3.
4.
5.
6.
or
interface tengigabit ethernet slot/port
7.
8.
9.
10.
11.
12.
Detailed Steps
Configuration Steps for a Static Ethernet Session
Complete these steps to configure DESA for a static ethernet session.
Summary Steps
1.
2.
3.
4.
5.
6.
or
interface tengigabit ethernet slot/port
7.
8.
9.
10.
11.
12.
13.
Detailed Steps
Configuration Example
This example shows how to create a service policy and configures DESA for a dynamic ethernet session.
Router# enableRouter# configure terminalRouter(config)# aaa authorization nextwork group default radiusRouter(config)# aaa authorization subscriber-service default local group radiusRouter(config)# radius-server host 172.29.39.46 key rad123 Router(config)# policy map type control policy1Router(config-control-policymap)# control always event session startRouter(config-control-policymap-class-control)# 1 authorize identifier stag-type plus stag-vlan-idRouter(config)# interface GigabitEthernet 1/1Router(config-if)# service instance dynamic 4 ethernetRouter(config-if-srv)# encapsulation dot1q 100 second-dot1q 2001-4000Router(config-if-srv)# ethernet subscriber session maximum limit 100Router(config-if-srv)# initiator unclassified vlanRouter(config-if-srv)# service-policy type control policy1Router(config-if-srv)# endThis example shows how to configure DESA for a static ethernet session.
Router# enableRouter# configure terminalRouter(config)# policy map type control policy2Router(config-control-policymap)# control always event session startRouter(config-control-policymap-class-control)# 1 service-policy type service name policy2Router(config)# interface GigabitEthernet 1/1Router(config-if)# no ip addressRouter(config-if)# service instance 2 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# ethernet subscriber staticRouter(config-if-srv)# service-policy type control policy2Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# end
Verifying DESA
To verify the DESA feature, use these commands in privileged EXEC mode.
Troubleshooting DESA
To troubleshoot the DESA feature, use these debug commands.
Control Plane Protection on Non Access Subinterfaces
A router is segmented into three planes of operation, each with a clearly defined objective. The data plane to forward data packets, the control plane to route the data correctly, and the management plane to manage network elements.
The Cisco 7600 ES+ line card forwards any control plane traffic during data transmission to the route processor (RP). If there is a continuous stream of control packets to the Cisco 7600 router, all the packets are forwarded to the RP in the router. If the packet rate is high, the control packet flow consumes the processing capacity, memory, buffers and other critical system resources, and the RP functionality is impacted. Control Plane Protection (COPP) is a mechanism to control the traffic destined to the RP from non access sub interfaces of the ES+ line card using QoS policies.
COPP is already supported on access sub interfaces and the main interfaces. Effective from Cisco IOS release 15.1(2)S, COPP on non access sub interfaces is also supported on the ES+ line card.
Restrictions and Usage Guidelines
Follow these restrictions and guidelines for configuring COPP on a non access subinterface is given as follows:
•
•
•
•
Configuring COPP on a Non Access Subinterface
Complete these steps to configure COPP on a non access subinterface.
Summary Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Detailed Steps
Configuration Example
This example shows how to configure COPP on a non access sub interface. In the example, a class map cmap is created to specify the matching criteria. Then a policy map pmap that describes the policing to be applied, is created and the service policy is applied on the control plane user interface.
Router# enableRouter# configure terminalRouter(config)# class-map match-all cmapRouter(config-cmap)# match protocol dhcp
Router(config-cmap)# match subscriber access
Router(config-cmap)# policy-map pmap
Router(config-pmap)# class cmap
Router(config-pmap-c)# police cir 300000
Router(config)# control-plane user-type access
Router(config-cp-user)# service-policy input pmap
Router(config)# interface gigabit ethernet 1/2.1
Router(config-subif)# encapsulation dot1q 400
Router(config-subif)# ip subscriber l2-connected
Router(config-subscriber)# initiator dhcp
Router(config-subscriber)# end
Verifying COPP on a Non Access Sub Interface
To verify the COPP on a non access subinterface, you can use the following commands in privileged EXEC mode:
BFD Scale Improvement on ES+ Line Card for 7600
Bidirectional Forwarding Detection (BFD) scale improvement feature provides the functionality to offload a BFD session to an ES+ line card. BFD is a forwarding path failure detection protocol and reduces the overall network convergence time by sending rapid failure detection packets (messages) to the routing protocols for recalculating the routing table. Before Release 15.1(2)S, a BFD session was run as a software component on the Route Processor (RP). Hence, the performance of BFD was restricted to the capabilities of CPU and IOS on the RP on the Cisco 7600 Router. Effective failure detection requires BFD to run at high frequencies (using aggressive timers as low as 50ms), which was not possible because of CPU and IOS restrictions. Effective with Cisco IOS Release 15.1(2) S, apart from running a BFD session on the RP, you can also offload a BFD session to the ES+ line card based on specific conditions listed in the "Restrictions for BFD Scale Improvement" section.
Note
Note
Offloading a BFD session to an ES+ line card allows you to utilize the hardware resources and capabilities of an ES+ line card, and also distribute the processing load between RP and ES+ line card. It allows you to scale up to 2000 BFD sessions for each Cisco 7600 series router.
Note
BFD Sessions Supported on RSP720 Versions
Table 4-44 lists the number of IPv4 HW BFD sessions supported on various Route Switch Processor 720 (RSP 720) versions.
Table 4-44 IPv4 HW BFD Sessions Supported on Various RSP720 Versions
OSPF BFD session scale number1
1200
2000
1200
2000
1200
2000
1200
2000
Static route BFD session scale number
2000
2000
2000
2000
2000
2000
2000
2000
1 The scale numbers are valid only for the HW BFD sessions on the box and not software BFD session.
Note
Table 4-45 lists the number of software BFD sessions supported on the various RSP720 versions.
Table 4-45 Software BFD Sessions Supported on the Various RSP720 Versions
50*3ms
128
999*3 ms
512
1 These numbers are valid only for the software BFD session on the box and not hardware BFD session.
Table 4-46 lists the number of sessions supported for each type of line card:
Table 4-46 Sessions Supported on Line Cards
SSO Behavior
A BFD session supports Stateful Switchover (SSO) when offloaded to the ES+ line card. For a BFD session running on the RP, the minimum supported transmit (Tx) and receive (Rx) timer value for SSO is 500ms. When a session is offloaded to an ES+ line card, the minimum supported Tx and Rx timer value for SSO is 50ms. Usually, a BFD session offloaded to an ES+ line card is not affected during an SSO. However, these scenarios may be observed:
•
•
Restrictions for BFD Scale Improvement
The following restrictionsapply for BFD scale improvement:
•
•
•
•
•
•
•
•
–
–
–
•
•
•
•
•
•
•
•
•
–
–
•
•
Note
Note
Configuring BFD Hardware Offload for 7600
The BFD offload functionality is enabled by default. You can configure BFD hardware offload on the route processor. For more information, see Bidirectional Forwarding Detection.
Troubleshooting BFD Hardware Offload
Table 4-47 provides troubleshooting solutions for the BFD scale improvement issues:
Table 4-47 Troubleshooting BFD Scale Improvement
BFD session repeatedly goes up and down, or fails to come up.
Complete these steps and report the findings to the TAC team:
1.
2.
3.
4.
5.
6.
For further debugging, enable the debug CLIs with the console logging function disableds and use these commands on the RP:
•
•
•
Use these commands on the line card:
•
•
•
Note
Unable to offload an existing session to hardware even though it already existed in the hardware. Usually, hardware offload reconfiguration include these steps:
1.
2.
3.
The BFD session is offloaded to IOS immediately after reconfiguring the bfd interval and before the no bfd echo command. Hence, the command to enable non-echo mode is not considered while initializing a session on the IOS.
Complete these steps to successfully offload an existing session to ES+ line card for a OSPF router:
1.
2.
3.
4.
5.
Unable to offload a static route BFD session from IOS to ES+ line card.
Complete these steps to offload a static route BFD session from IOS to ES+ line card:
1.
2.
router (config)# no ip route static bfd interface-type interface-num- ber gatewayor
router (config)# no ip route [vrf vrf-name] prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag]3.
4.
5.
router (config)# ip route static bfd interface-type interface-number gatewayor
router (config)# ip route [vrf vrf-name] prefix mask {ip-address | in- terface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag]
