Table Of Contents
Configuring Layer 1 and Layer 2 Features
Cisco 7600 Synchronous Ethernet Support
SSM and ESMC
Synchronization Status Message
Ethernet Synchronization Messaging Channel
Restrictions and Usage Guidelines
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
Configuring the Clock Recovery from SyncE
Configuring the Clock Recovery from BITS Port
Configuring the System to External
Configuring the Line to External
Managing Synchronization on ES+ Card
Verification
Troubleshooting the Synchronous Ethernet configuration
Troubleshooting
Flexible QinQ Mapping and Service Awareness
Restrictions and Usage Guidelines
Examples
Double Tag VLAN Connect
Selective QinQ with Xconnect
Selective QinQ with Layer 2 Switching
Double Tag Translation (2-to-2 Tag Translation)
Double Tag Termination (2 to 1 Tag Translation)
Verification
Troubleshooting
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
Restrictions and Usage Guidelines
Examples
Single Tag Termination Example
Single Tag Tunneling Example
Single Tag Translation Example
Double Tag Tunneling Example
Double Tag Termination Configuration Example
Double-Tag Translation Configuration Example
Selective QinQ Configuration Example
Untagged Traffic Configuration Example
MPBE with Split Horizon Configuration Example
Verification
Backup Interface for Flexible UNI
Restriction and Usage Guidelines
Verification
Example
Troubleshooting
EVC On Port-Channel
Restrictions and Usage Guidelines
Troubleshooting
Configuring SPAN on EVC
Restrictions and Usage Guidelines
Configuring SPAN on EVC
Sample Configuration
Verifying SPAN on EVC
Troubleshooting
Information About ERSPAN on EVC
Restrictions for ERSPAN on EVC Configuration
Configuring the Source Session for ERSPAN on EVC
Configuration Examples for ERSPAN on EVC Source Session
Configuring the Destination Session for ERSPAN on EVC
ERSPAN on EVC: Destination Session Configuration Example
Verification of ERSPAN on EVC Configuration
Verification Example for ERSPAN on EVC
LACP Support for EVC Port Channel
Restrictions and Usage Guidelines
Verification
Troubleshooting
Configuring Layer 2 Access Control Lists (ACLs) on an EVC
Restrictions and Usage Guidelines
Creating a Layer 2 Access Control List
SUMMARY STEPS
DETAILED STEPS
Applying a Layer 2 Access Control List
SUMMARY STEPS
DETAILED STEPS
DHCP Snooping with Option-82 on EVC
Restrictions and Usage Guidelines
Example
Verification
Troubleshooting
DHCP Snooping Over p-mLACP
DHCP Snooping State Synchronization
Restrictions for DHCP Snooping over p-mLACP
Troubleshooting Tips
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization
IGMP Snooping State Synchronization
Restrictions for p-mLACP IGMP Snooping State Synchronization
Troubleshooting Tips
IP Source Guard for Service Instance
Restrictions and Usage Guidelines
Configuring IP Source Guard for a Service Instance
Example
Verification
Troubleshooting
Configuring MST on EVC Bridge Domain
Overview of MST and STP
Overview of MST on EVC Bridge Domain
Restrictions and Usage Guidelines
Examples
Verification
Troubleshooting
Configuring Link State Tracking (LST)
Restrictions and Usage Guidelines
Configuring Link State Tracking
Verification
Troubleshooting the Link State Tracking
MAC Address Security for EVC Bridge Domain
Restrictions and Usage Guidelines
Enabling MAC Address Security for EVC Bridge Domain
Disabling MAC Address Security for EVC Bridge Domain on an EFP
Examples
Configuring MAC Address Whitelist on an EFP
Configuring Sticky MAC Addresses on an EFP
Configuring Secure MAC Address Aging on an EFP
Configuring MAC Address Limiting on EFP
Configuring MAC Address Limiting on a Bridge Domain
Configuring Violation Response on an EFP
Examples
Error Recovery
Manual Recovery
Automatic recovery
Verification
Troubleshooting
CFM and PVST Co-Existence
Restrictions and Usage Guidelines
Configuring PVST and CFM Co-Existence
Configuring GVRP and CFM Co-Existence
Configuring PVST and GVRP Co-Existence
Verification
Custom Ethertype for EVC Interfaces
Supported Rewrite Rules for a Custom Ethertype Configuration
Supported Rewrites for Non-Range on C-Tag with a NNI
Supported Rewrites for Range on C-Tag with a NNI
Restrictions and Usage Guidelines
Examples
Single Tag Encap with Connect with Custom Ethertype Configured
Single Tag Encap with Bridge Domain
Single Tag Encap with XConnect
Custom Ethertype Support with Sub Interfaces
Verification
Troubleshooting
GE LAG with LACP on UNI with Advanced Load Balancing
Restrictions and Usage Guidelines
Configuring GE Link Aggregation with Advanced Load Balancing
Example
Verification
Troubleshooting Load Balancing Features
Storm Control on Switchports and Ports Having EVCs
Detecting a Broadcast Storm
Restrictions and Usage Guidelines
Configuring Storm Control on Ports with EVC Configurations
Example
Configuring Storm Control on Switchports
Example
Configuring Storm Control on Port Channels
Example
Verification
Storm Control over EVC
Restrictions for Storm Control over EVC
Configuring Storm Control over EVC
Detailed Steps
Examples
Verification
Asymmetric Carrier-Delay
Restrictions and Usage Guidelines
Configuring Asymmetric Carrier Delay
Verification
Manual Load Balancing for EVC over Port-Channel/LACP
Restrictions and Usage Guidelines
Configuring Manual Load Balancing for EVC over Port-Channel/LACP
Example
Verification
EVC Port Channel Per Flow Load Balancing
Restrictions
Configuring EVC Port Channel Per Flow Load Balancing
Summary Steps
Detailed Steps
Example
Verification
Configuring Layer 3 and Layer 4 ACLs
Configuration Examples
Verification
Multichassis Support for LACP
Requirements and Restrictions
Pseudo MLACP Support on Cisco 7600
Failover Operations
Failure Recovery
Restrictions for PMLACP on Cisco 7600
Configuring PMLACP on Cisco 7600
Configuration Examples
Verification
Troubleshooting Tips
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Restrictions for L2TPv3
Configuring L2TPv3
Troubleshooting Tips
Reverse L2GP for Cisco 7600
Restrictions and Usage Guidelines
Configuring Reverse L2GP for 7600
Configuring MST
Configuring the RL2GP Instance
Attaching the RL2GP Instance to a Port
Configuring the VPLS Pseudo Wire
Examples
Troubleshooting
Configuring Static MAC Binding to EVCs and Psuedowires
Restrictions and Usage Guidelines
Configuring Static MAC over EFP for the Cisco 7600 Router
Configuring MPLS on Core-Facing Interface
Configuring Static MAC over Pseudowire for the Cisco 7600 Router
Troubleshooting
Configuring Resilient Ethernet Protocol
REP Edge No-Neighbor
Configuring REP over Ethernet Virtual Circuit
Restrictions and Usage Guidelines
Configuring REP over EVC for the Cisco 7600 Router
Configuring REP over EVC using cross-connect on the Cisco 7600 Router
Configuring REP over EVC using connect for the Cisco 7600 Router
Configuring REP over EVC using bridge-domain for the Cisco 7600 Router
Configuring Resilient Ethernet Protocol Configurable Timers
Restrictions and Usage Guidelines
Configuring REP Configurable Timers for the Cisco 7600 Router
Configuring the REP Link Status Layer Retries
Configuring the REP Link Status Layer Age Out Timer
Troubleshooting the REP
IEEE 802.1ag-2007 Compliant CFM
Supported Line Cards
Scalable Limits
Restrictions and Usage Guidelines
Example
CFM over EFP Interface with xconnect
Restrictions and Usage Guidelines
Configuring CFM over EFP with xconnect for the Cisco 7600 Router
Configuring CFM over EFP Interface with Cross Connect—Basic Configuration
Configuring CFM over EFP Interface with Cross Connect—Single Tag VLAN Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Double Tag VLAN Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Selective QinQ Cross Connect
Configuring CFM over EFP Interface with Cross Connect—Port-Based Cross Connect Tunnel
Configuring CFM over EFP Interface with Cross Connect—Port Channel-Based Cross Connect Tunnel
Configuring CFM over EFP Interface with xconnect—Port Channel-Based xconnect Tunnel
Verification
Troubleshooting CFM Features
802.1ah: Configuring the MAC Tunneling Protocol
MTP Software Architecture
IB Backbone Edge Bridge
Data Plane Processing
MTP Configuration
Scalability Information
Restrictions and Usage Guidelines
Configuring the MTP for the Cisco 7600 Router
Troubleshooting
802.3ah: Dying Gasp and Remote Loopback Initiation
Restrictions for Dying Gasp and Remote Loopback Initiation
Configuring the Remote Loopback
Configuring the Dying Gasp
Configuration Examples
Verification
Support for IEEE 802.1ad
Prerequisites for IEEE 802.1ad
Restrictions for IEEE 802.1ad
Information About IEEE 802.1ad
How Provider Bridges Work
S-Bridge Component
C-Bridge Component
MAC Addresses for Layer 2 Protocols
Guidelines for Handling BPDU
7600 Action Table
Interoperability of QinQ and Dot1ad
How to Configure IEEE 802.1ad
Configuring a Switchport
Configuring a Layer 2 Protocol Forward
Configuring a Switchport for Translating QinQ to 802.1ad
Configuring a Switchport (L2PT)
Configuring a Customer-Facing UNI-C Port with EVC
Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC
Configuring a Customer-Facing UNI-S Port with EVC
Configuring a Layer 3 Termination
Displaying a Dot1ad Configuration
Troubleshooting Dot1ad
ITU-T G.8032 Ethernet Ring Protection Switching
G.8032 overview
Single Ring Topology
Multiple Rings Topology
G.8032 Node Components
Restrictions
Failure Detection
R-APS Control message Processing
R-APS Packet Format
R-APS Packet Transmission Rules
TCN Processing
HA/ISSU support
Configuring the ITU-T G.8032 Feature
Y.1731 Performance Monitoring
Connectivity
Frame Delay and Frame Delay Variation
Frame Loss Ratio and Availability
Supported Interfaces
Restrictions and Usage Guidelines
Configuring One Way Delay Measurement
Summary Steps
Detailed Steps
Configuration Example
Configuring Two-Way Delay Measurement
Summary Steps
Detailed Steps
Configuration Example
Configuring Single Ended Frame Loss Measurement
Summary Steps
Detailed Steps
Configuration Example
Configuring Single Ended SLM-Continuous
Summary Steps
Detailed Steps
Configuration Example
Configuring Single Ended SLM-Bursts
Summary Steps
Detailed Steps
Configuration Example
Verifying the Frame Delay and Frame Loss Measurement Configurations
Troubleshooting
IP and PPPoE Session Support
IP Address Assignment
IP Subnet (IP Range) Sessions
IP Interface Sessions
PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)
PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer Ethertype
Restrictions and Usage Guidelines
Verification
Troubleshooting
Per Subscriber Session Call Admission Control (CAC)
Restrictions and Guidelines
Implementing CAC
Configuring Per Subscriber Session CAC
Summary Steps
Detailed Steps
Configuration Example
Verifying and Monitoring Per Subscriber Session CAC
Configuring Private Host on Pseudoport on CWAN Cards
Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs
Restrictions and Usage Guidelines
Configuring UDLD Aggressive Mode
Enabling UDLD on Ports With EVC Configured
Disabling Individual UDLD on Ports With EVC Configured
Resetting Disabled UDLD on Ports With EVC Configured
Verification
Dynamic Ethernet Service Activation
Restrictions and Usage Guidelines
Configuring Dynamic Ethernet Service Activation Support on C7600
Configuring DESA for a Dynamic Ethernet Session
Detailed Steps
Configuration Steps for a Static Ethernet Session
Configuration Example
Verifying DESA
Troubleshooting DESA
Control Plane Protection on Non Access Subinterfaces
Restrictions and Usage Guidelines
Configuring COPP on a Non Access Subinterface
Summary Steps
Detailed Steps
Configuration Example
Verifying COPP on a Non Access Sub Interface
BFD Scale Improvement on ES+ Line Card for 7600
BFD Sessions Supported on RSP720 Versions
SSO Behavior
Restrictions for BFD Scale Improvement
Configuring BFD Hardware Offload for 7600
Configuring BFD Hardware Offload for HSRP IPv4
Configuration Example
Verification
BFD Template Support for IPv4 and IPv6
Restrictions for BFD Template Support
Restrictions for 10*3 BFD Timers
BFD Sessions Supported for 10*3 Timers
Using the BFD Template
Configuration Examples
Verification
Troubleshooting BFD Hardware Offload
Ethernet Data Plane Loopback
Restrictions for Ethernet Data Plane Loopback
Configuring the Ethernet Data Plane Loopback
Configuration Examples for Ethernet Data Plane Loopback
Verification
Configuring Layer 1 and Layer 2 Features
This chapter provides information about configuring layer 1 and layer 2 features on the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series router. It includes the following topics:
•
Cisco 7600 Synchronous Ethernet Support
•Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
•Backup Interface for Flexible UNI
•EVC On Port-Channel
•Configuring SPAN on EVC
•Configuring SPAN on EVC
•Configuring Layer 2 Access Control Lists (ACLs) on an EVC
•Configuring MST on EVC Bridge Domain
•Configuring Link State Tracking (LST)
•MAC Address Security for EVC Bridge Domain
•CFM and PVST Co-Existence
•Custom Ethertype for EVC Interfaces
•Storm Control on Switchports and Ports Having EVCs
•Storm Control over EVC
•Asymmetric Carrier-Delay
•Manual Load Balancing for EVC over Port-Channel/LACP
•EVC Port Channel Per Flow Load Balancing
•Multichassis Support for LACP
•Pseudo MLACP Support on Cisco 7600
•Layer 2 Tunneling Protocol Version 3 (L2TPv3)
•Reverse L2GP for Cisco 7600
•Configuring Resilient Ethernet Protocol
•IEEE 802.1ag-2007 Compliant CFM
•802.1ah: Configuring the MAC Tunneling Protocol
•802.3ah: Dying Gasp and Remote Loopback Initiation
•Support for IEEE 802.1ad
•ITU-T G.8032 Ethernet Ring Protection Switching
•Y.1731 Performance Monitoring
•IP and PPPoE Session Support
•Per Subscriber Session Call Admission Control (CAC)
•Configuring Private Host on Pseudoport on CWAN Cards
•Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs
•Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs
•Dynamic Ethernet Service Activation
•BFD Scale Improvement on ES+ Line Card for 7600
•Ethernet Data Plane Loopback
For more information about the commands used in this chapter, see the Cisco IOS Release 12.2 SR Command References at http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html.
Note The information provided in this chapter is applicable to both the ES+ and ES+T line cards unless specified otherwise.
Note Follow these restrictions and guidelines while cross-bundling various linecards:
1. ES20 and ES+ cross-bundling is not supported.
2. Any LAN card, and ES20/ES+ cross-bundling is not supported.
Cisco 7600 Synchronous Ethernet Support
Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned to a reliable clock traceable to Primary Reference Clock (PRC).
SyncE is implemented on an ES+ card for Cisco 7600 series routers. An ES+ card has a dedicated external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. Table 4-1 lists the framing modes for BITS port on an ES+ card:
Table 4-1 Framing Modes for BITS Port on an ES+ card
BITS/SSU port support Matrix
|
Framing modes supported
|
SSM/QL support
|
Tx Port
|
Rx Port
|
T1
|
T1 ESF
|
Yes
|
Yes
|
Yes
|
T1
|
T1 SF
|
No
|
Yes
|
Yes
|
E1
|
E1 CRC4
|
Yes
|
Yes
|
Yes
|
E1
|
E1 FAS
|
No
|
Yes
|
Yes
|
E1
|
E1 CAS
|
No
|
No
|
Yes
|
E1
|
E1 CAS CRC4
|
Yes
|
No
|
Yes
|
2048kHz
|
2048kHz
|
No
|
Yes
|
Yes
|
Table 4-2 lists the External Timing Input and Output Pinouts:
Table 4-2 External Timing Input and Output Pinout
Pin
|
Signal
|
Image
|
1
|
Rx Ring
|
|
2
|
Receive (Rx) Tip
|
3
|
Not used
|
4
|
Tx Ring
|
5
|
Transmit (Tx) Tip
|
6
|
Not used
|
7
|
Not used
|
8
|
Not used
|
Note The pin out for BITS port on ES+ is similar to E1 and T1.
You can implement SyncE on an ES+ card with four different configurations:
•Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit and ten gigabit interfaces only). Router uses this clock as the Tx clock for other SyncE interfaces or ATM/CEoP interfaces.
•Clock Recovery from External Interface: System clock is recovered from a BITS clocking source.
•Line to External: The clock received from an Ethernet is forwarded to an external SSU. The SynE feature provides the functionality for clock cleanup. For a router in the middle of synchronization chain, the received clock may have unacceptable wander and jitter. The router recovers the clock from the SyncE interface, converts it to the format required for the BITS interface, and sends to a SSU through the BITS port. The SSU performs the cleanup and sends it back to the BITs interface. The cleaned up clock is received back from the SSU. This clock is used as Tx clock for the SyncE ports. For 7600 router, the interface from which the clock is recovered and the BITS port to the SSU should reside on the same ES+ card.
•System to External: The system clock is used as Tx clock for an external interface. By default the system clock is not transmitted on the external interface.
The SyncE enabled ES+ line card provides the squelching functionality, where an Alarm indication Signal (AIS) is sent to the Tx interfaces if the clock source goes down. The squelching functionality is implemented in two cases:
•Line to external: If the line source goes down, an AIS is transmitted on the external interface to the SSU.
•System to external: If the router loses all the clock sources, an AIS is sent on the external interface to the SSU.
Squelching is performed only towards an external device such as SSU or PRC.
You can have a maximum of six clock sources for a 7600 Router and a maximum of 4 clock sources on an ES+ card. The clock source with highest priority is made the default clock source. You can manage the clock sources on an ES+ card by changing the priority of the clock sources. You can also manage the synchronization on ES+ cards using the following management options:
•Hold-of Time: If a clock source goes down, the router waits for a specific hold-off time before removing the source. By default, the value of hold-of time is 300 ms.
•Wait to Restore: If a SyncE interface comes up, the router waits for a specific period of time before considering the SyncE interface for synchronization source. By default, the value is 300 sec.
•Force Switch: Forcefully select a synchronization source irrespective of whether the source is available or within the specified range.
•Manual Switch: Forcefully select a synchronization source provided the source is available and within the range.
SSM and ESMC
Network Clocking uses these mechanisms to exchange the quality level of the clock between the network elements:
•Synchronization Status Message
•Ethernet Synchronization Messaging Channel
Synchronization Status Message
Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality:
•Prevents timing loops.
•Provides fast recovery when a part of the network fails.
•Ensures that a node derives timing from the most reliable clock source.
Ethernet Synchronization Messaging Channel
In order to maintain a logical communication channel in synchronous network connections, ethernet relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality level of the Ethernet Equipment Clock (EEC) in a physical layer.
The ESMC packets are received only for those ports configured as clock sources and transmitted on all the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the selected clock source and sent to all the enabled SyncE ports.
Clock Selection Algorithm
Clock selection algorithm selects the best available synchronization source from the nominated sources. The clock selection algorithm has a non-revertive behavior among clock sources with same QL value and always selects the signal with the best QL value. For clock option 1, the default is revertive and for clock option 2, the default is non-revertive.
The clock selection process works in the QL enabled and QL disabled modes. When multiple selection processes are present in a network element, all processes work in the same mode.
QL-enabled mode
In QL-enabled mode, the following parameters contribute to the selection process:
•Quality level
•Signal fail via QL-FAILED
•Priority
•External commands.
If no external commands are active, the algorithm selects the reference (for clock selection) with the highest quality level that does not experience a signal fail condition. If multiple inputs have the same highest quality level, the input with the highest priority is selected. For multiple inputs having the same highest priority and quality level, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.
QL-disabled mode
In QL-disabled mode, the following parameters contribute to the selection process:
•Signal failure
•Priority
•External commands
If no external commands are active, the algorithm selects the reference (for clock selection) with the highest priority that does not experience a signal fail condition. For multiple inputs having the same highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.
Hybrid mode
The SyncE feature requires that each network element along the synchronization path needs to support SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring the Timing over Packet (ToP) interface on the PTP slave as the input source.
Note The ToP interface does not support QL and works only in the QL-disabled mode.
The ES+ is a family of fixed-port SyncE line cards supporting 20 and 40 gbps bandwidth for the 7600 series routers. The following ES+ cards support SyncE:
•4x10G XFP ports
•40x1G SFP ports
•2x10G XFP ports
•20x1G SFP ports
•4x10GE or 2x10GE with ITU-T G.709 DWDM optical interface
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when configuring the SyncE on an ES40 line card:
•If the network clock algorithm is enabled, all the ES+ cards on the router use the system clock as Tx clock (synchronous mode) for its ethernet interfaces. You cannot change the synchronous mode on a per interface basis for the line card. The whole line cards functions in the same mode.
•On an ES+ card, you can have a maximum of 4 ports configured as clock source at a time.
•For a 20x1 gigabit ES+ line card, you can select a maximum of two ports from each NPU.
•For a 40x1 gigabit ES+ line card, you can select only one port from each NPU.
•You can configure a maximum of 6 ports as a clock source for a Cisco 7600 router.
•The line to external for clock clean up is supported only if the line interface and the external (BITS) interface are on the same ES+ line card.
•SyncE feature is SSO co-existent, but not compliant. The clock selection algorithm is restarted on a switchover. During the switchover the router goes into hold-over mode.
•The ES+ SyncE interfaces in WAN mode cannot be used for QL-enabled clock selection. You should either use them with the system in QL disabled mode or disable ESMC on the interfaces and use them as QL-disabled interfaces.
•It is recommended that you do not configure multiple input sources with the same priority as this impacts the TSM switching delay.
•You cannot implement the network-clock based clock selection algorithm and the new algorithm simultaneously. Both these algorithms are mutually exclusive.
•SyncE is not supported on 1 Gigabit Ethernet copper SFPs (SFP GE-T and GLC-T).
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
This section describes how to configure SyncE for Cisco 7600 Router. SyncE is implemented on Cisco 7600 router using four different configurations:
•Configuring the Clock Recovery from SyncE
•Configuring the Clock Recovery from BITS Port
•Configuring the System to External
•Configuring the Line to External
Configuring the Clock Recovery from SyncE
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from SyncE method.
SUMMARY STEPS
1. enable
2. configure terminal
3. network-clock synchronization automatic
4. network-clock synchronization ssm option option_Id Generation_Id
5. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
6. [no]clock source {internal | line | loop}
7. synchronous mode
8. exit
9. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}
10. exit
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
network-clock synchronization automatic
Example:
Router(config)# network-clock synchro-
nization automatic
|
Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
|
Step 4
|
network-clock synchronization ssm op-
tion {option_id {GEN1 | GEN2}}
Example:
Router(config)# network-clock synchro-
nization ssm option 2 GEN1
|
Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
|
Step 5
|
interface gigabitethernet slot/port or
interface tengigabitethernet slot/port
Example:
Router(config)# int gig 5/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
slot/port—Specifies the location of the interface.
|
Step 6
|
clock source {internal | line | loop}
Example:
Router(config-if)# clock source line
|
Indicates the clock source to use. The 3 options for clock source are:
•internal: Use internal clock.
•line: Recover clock from line.
•loop: Use local loop timing.
To implement SYNCE, use line option.
|
Step 7
|
synchronous mode
Example:
Router(config-if)# synchronous mode
|
Sets the mode to synchronous mode.
|
Step 8
|
exit
Example:
Router(config)# exit
|
Exits the specific configuration mode.
|
Step 9
|
network-clock input-source priority
{interface interface_name
slot/card/port | {external
slot/card/port }}
Example:
Router(config)# network-clock in-
put-source 1 interface
TenGigabitEthernet7/1
|
Enables clock recovery from SyncE.
|
Step 10
|
exit
Example:
Router(config)# exit
|
Exits the global configuration mode.
|
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# int gig 5/1
Router(config-if)# clock source line
Router(config-if)# synchronous mode
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Configuring the Clock Recovery from BITS Port
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery from BITS port.
SUMMARY STEPS
1. enable
2. configure terminal
3. network-clock synchronization automatic
4. network-clock synchronization ssm option option_Id Generation_Id
5. network-clock input-source priority {interface interface_name slot/card/port | {external slot/card/port }}
6. exit
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
network-clock synchronization automatic
Example:
Router(config)# network-clock synchro-
nization automatic
|
Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
|
Step 4
|
network-clock synchronization ssm op-
tion {option_id {GEN1 | GEN2}}
Example:
Router(config)# network-clock synchro-
nization ssm option 2 GEN1
|
Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
|
Step 5
|
network-clock input-source priority
{interface interface_name
slot/card/port | {external
slot/card/port }}
Example:
Router(config-if-srv)# network-clock
input-source 1 External 7/0/0 t1 sf
|
Enables clock recovery from BITS port.
|
Step 6
|
exit
Example:
Router(config)# exit
|
Exits the global configuration mode
|
Examples
This example shows how to configure clock recovery from BITS port for Cisco 7600 Routers:
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
Configuring the System to External
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using System to External method.
SUMMARY STEPS
1. enable
2. configure terminal
3. network-clock synchronization automatic
4. network-clock synchronization ssm option option_Id Generation_Id
5. network-clock output-source system priority {external slot/card/port [j1 | 2m | 10m] }
6. exit
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
network-clock synchronization automatic
Example:
Router(config)# network-clock synchro-
nization automatic
|
Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
|
Step 4
|
network-clock synchronization ssm op-
tion {option_id {GEN1 | GEN2}}
Example:
Router(config)# network-clock synchro-
nization ssm option 2 GEN1
|
Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
|
Step 5
|
network-clock output-source system pri-
ority {external slot/card/port [j1 | 2m
| 10m]}
Example:
Router(config)# network-clock out-
put-source system 1 external 4/0/0 t1
sf
|
Configures the system clock to be used on external Tx interfaces.
|
Step 6
|
exit
Example:
Router(config)# exit
|
Exits the global configuration mode.
|
Examples
This example shows how to configure system to external clocking for Cisco 7600 Routers:
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
This example shows how to configure clock clean-up using an SSU:
Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External
1/0/0 t1 sf
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
Configuring the Line to External
This section describes how to configure SyncE over ES+ card on Cisco 7600 router using Line to External method.
SUMMARY STEPS
1. enable
2. configure terminal
3. network-clock synchronization automatic
4. network-clock synchronization ssm option option_Id Generation_Id
5. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
6. [no]clock source {internal | line | loop}
7. synchronous mode
8. exit
9. network-clock output-source line priority {interface interface_name | controller {t1 | e1} slot/card/port}} {external slot/card/port}
10. exit
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
network-clock synchronization automatic
Example:
Router(config)# network-clock synchro-
nization automatic
|
Enables the network clock selection algorithm. This command disables the Cisco specific network-clock process and turns on G.781 based automatic clock selection process.
|
Step 4
|
network-clock synchronization ssm op-
tion {option_id {GEN1 | GEN2}}
Example:
Router(config)# network-clock synchro-
nization ssm option 2 GEN1
|
Configures the equipment to work in synchronization network. The option_id value 1 refers to synchronization networks design for Europe. This is the default value. The option_id value 2 refers to synchronization networks design for US.
|
Step 5
|
interface gigabitethernet slot/port or
interface tengigabitethernet slot/port
Example:
Router(config)# int gig 5/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
slot/port—Specifies the location of the interface.
|
Step 6
|
clock source {internal | line | loop}
Example:
Router(config-if)# clock source line
|
Indicates the clock source to use. The 3 options for clock source are:
•internal: Use internal clock.
•line: Recover clock from line.
•loop: Use local loop timing.
To implement SYNCE, use line option.
|
Step 7
|
synchronous mode
Example:
Router(config-if)# synchronous mode
|
Sets the mode to synchronous mode.
|
Step 8
|
exit
Example:
Router(config)# exit
|
Exits the specific configuration mode.
|
Step 9
|
network-clock output-source line prior-
ity {interface interface_name | con-
troller {t1 | e1} slot/card/port}}
{external slot/card/port}
Example:
Router(config-if-srv)# encapsulation
dot1q 40 second-dot1q 42
|
Configures the line clock to be used on external Tx interfaces.
|
Step 10
|
exit
Example:
Router(config)# exit
|
Exits the global configuration mode.
|
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router# configure terminal
Router(config)# network-clock synchronization automatic
Router(config)# network-clock synchronization ssm option 2 GEN1
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Router(config)# int gig 5/1
Router(config-if)# clock source line
Router(config-if)# synchronous mode
Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External
1/0/0
Managing Synchronization on ES+ Card
Manage the synchronization on ES+ cards with these management commands:
•Quality Level Enabled Clock Selection: Use the network-clock synchronization mode QL-enabled command in global configuration mode to configure the automatic selection process for QL-enabled mode. This succeeds only if the SyncE interfaces are capable of sending SSM. The following example shows how to configure network clock synchronization (QL-enabled mode) in global configuration mode:
Router(config)# network-clock synchronization mode QL-enabled
•ESMC Process: Use the esmc process command in global configuration mode to enable the ESMC process at system level. The no form of the command disables the ESMC process. This command fails if there is no SyncE-capable interface installed in the platform. The following example shows how to enable ESMC in global configuration mode:
Router(config)# esmc process
•ESMC Mode: Use the esmc mode [tx | rx |<cr>] command in interface configuration mode to enable ESMC process at interface level. The no form of the command disables the ESMC process. The following example shows how to enable ESMC in interface configuration mode:
Router(config-if)# esmc mode tx
•Network Clock Source Quality level: Use the network-clock source quality-level command in interface configuration mode to configure the QL value for ESMC on gigabitethernet port. The value is based on global interworking options.
–If Option 1 is configured, the available values are QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and QL-DNU.
–If Option 2 is configured with GEN 2, the available values are QL-PRS, QL-STU, QL-ST2, QL-TNC, QL-ST3, QL-SMC, QL-ST4 and QL-DUS.
–If option 2 is configured with GEN1, the available values are QL-PRS, QL-STU, QL-ST2, QL-SMC, QL-ST4 and QL-DUS
Use the network-clock quality-level command in global configuration mode to configure the QL value for SSM on BITS port. The following example shows how to configure network-clock quality-level in global configuration mode:
Router(config)# network-clock quality-level rx QL-PRC interface ToP3/0/20
The following example shows how to configure network-clock source quality-level in interface configuration mode:
Router(config-if)# network-clock source quality-level QL-PRC
•Wait-to-Restore: Use the network-clock wait-to-restore timer global command to set wait-to-restore time. You can configure the wait-to-restore time between 0 to 86400 seconds. The default value is 300 seconds. The wait-to-restore timer can be set at global configuration mode and interface configuration mode. The following example shows how to configure wait-to-restore timer in global configuration mode:
Router(config)# network-clock wait-to-restore 10 global
The following example shows how to configure the wait-to-restore timer in interface configuration mode:
Router(config)# int ten 7/1
Router(config-if)# network-clock wait-to-restore 10
•Hold-off Time: Use network-clock hold-off timer global command to configure hold-off time. You can configure the hold-off time to zero or any value between 50 to 10000 milliseconds. The default value is 300 milliseconds. The network-clock hold-off timer can be set at global configuration mode and interface configuration mode.The following example shows how to configure hold-off time:
Router(config)# network-clock hold-off 50 global
•Force Switch: Use the network-clock switch force command to forcefully select a synchronization source irrespective of whether the source is available and within the range. The following example shows how to configure manual switch:
Router(config)# network-clock switch force interface tenGigabitEthernet 7/1 t1
•Manual Switch: Use network-clock switch manual command to manually select a synchronization source provided the source is available and within the range. The following example shows how to configure manual switch:
Router(config)# network-clock switch manual interface tenGigabitEthernet 7/1 t1
•Clear Manual and Force Switch: Use the network-clock clear switch controller-id command to clear the manual or switch it by force. The following example shows how to clear a switch:
Router(config)# network-clock clear switch t0
•Lock out a Source: Use the network-clock set lockout command to lock-out a clock source. A clock source flagged as lock-out is not selected for SyncE. To clear the lock-out on a source, use the network-clock clear lockout command. The following example shows how to lock out a clock source:
Router(config)# network-clock set lockout interface tenGigabitEthernet 7/1
The following example shows how to clear lock-out on a clock source:
Router(config)# network-clock clear lockout interface tenGigabitEthernet 7/1
Verification
Use the following commands to verify the SyncE configuration:
•Use the show network-clock synchronization command to display the sample output:
Router# show network-clocks synchronization
Symbols: En - Enable, Dis - Disable, Adis - Admin Disable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
T0 : TenGigabitEthernet12/1
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
Internal NA NA/Dis 251 QL-SEC NA NA
*Te12/1 NA Sync/En 1 QL-PRC - -
AT6/0/0 NA NA/En 1 QL-SSU-A NA NA
•Use the show network-clock synchronization detail command to display all details of network-clock synchronization parameters at the global and interface levels.
Router# show network-clocks synchronization detail
Symbols: En - Enable, Dis - Disable, Adis - Admin Disable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
T0 : TenGigabitEthernet12/1
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Number of synchronization sources: 2
sm(netsync NETCLK_QL_ENABLE), running yes, state 1A
Last transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A
(ql_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A
(sf_change)-> 1A (ql_change)-> 1A
Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
Internal NA NA/Dis 251 QL-SEC NA NA
*Te12/1 NA Sync/En 1 QL-PRC - -
AT6/0/0 NA NA/En 1 QL-SSU-A NA NA
---------------------------------------------
Local Interface: Internal
QL Transmit Configured: -
Mode: Synchronous(Ql-enabled)
QL Transmit Configured: -
QL Transmit Configured: -
•Use the show esmc command to display the sample output.
Interface: TenGigabitEthernet12/1
Administative configurations:
ESMC Information rate: 1 packet/second
Interface: TenGigabitEthernet12/2
Administative configurations:
ESMC Information rate: 1 packet/second
•Use the show esmc detail command to display all details of esmc parameters at the global and interface levels.
Interface: TenGigabitEthernet12/1
Administative configurations:
ESMC Information rate: 1 packet/second
ESMC Tx interval count: 1
Interface: TenGigabitEthernet12/2
Administrative configurations:
ESMC Information rate: 1 packet/second
ESMC Tx interval count: 1
Troubleshooting the Synchronous Ethernet configuration
The following debug commands are available for troubleshooting the Synchronous Ethernet configuration on the Cisco 7600 ES+ Line Card:
Debug Command
|
Purpose
|
debug platform ssm
|
Debugs issues related to SSM such as Rx, Tx,QL values and so on.
|
debug platform network-clock
|
Debugs issues related to network clock such as alarms, OOR, active-standby sources not selected correctly and so on.
|
debug esmc error
debug esmc event
debug esmc packet [interface <interface
name>]
debug esmc packet rx [interface <interface
name>]
debug esmc packet tx [interface <interface
name>]
|
Verifies whether the ESMC packets are transmitted or received with proper quality level values.
|
Troubleshooting Scenarios
Note Before you troubleshoot, ensure that all the network clock synchronization configurations are complete.
Troubleshooting
Table 4-3 provides the troubleshooting solutions for the synchronous ethernet feature.
Table 4-3 Troubleshooting Scenarios
Problem
|
Solution
|
Incorrect clock limit set or disabled queue limit mode
|
•Verify that there are no alarms on the interfaces. Use the show network-clock synchronization detail RP command to confirm.
Warning We suggest you do not use these debug commands without TAC supervision.
•Use the show network-clock synchronization command to confirm if the system is in revertive mode or non-revertive mode and verify the non-revertive configurations as shown in this example:
RouterB#show network-clocks synchronization
Symbols: En - Enable, Dis - Disable, Adis - Admin Disable NA - Not Applicable
- Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
Automatic selection process : Enable
Equipment Clock : 1544 (EEC-Option2)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : GEN1
T0 : POS3/1/0
Hold-off (global) : 300 ms
Wait-to-restore (global) : 0 sec
Tsm Delay : 180 ms
Revertive : Yes<<<<If it is non revertive then it will show NO here.
Nominated Interfaces
Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
Internal NA NA/Dis 251 QL-ST3 NA NA
SONET 3/0/0 NA NA/En 3 QL-ST3 NA NA
*PO3/1/0 NA NA/En 1 QL-ST3 NA NA
|
| |
SONET 2/3/0 NA NA/En 4 QL-ST3 NA NA
|
| |
•Reproduce the current issue and collect the logs using the debug network-clock errors, debug network-clock event, and debug network-clock sm RP commands.
Warning We suggest you do not use these debug commands without TAC supervision.
•Contact Cisco technical support if the issue persists.
|
Incorrect quality level (QL) values when you use the show network-clock synchronization detail command.
|
•Use the network clock synchronization SSM (option 1 |option 2) command to confirm that there is no framing mismatch. Use the show run interface command to validate the framing for a specific interface. For the SSM option 1 framing should be SDH or E1 and for SSM option 2, it should be SONET or T1.
•Reproduce the issue using the debug network-clock errors, debug network-clock event and debug platform ssm RP commands or enable the debug hw-module subslot command.
Warning We suggest you do not use these debug commands without TAC supervision.
|
Error message "%NETCLK-6-SRC_UPD: Synchronization source SONET 2/3/0 status (Critical Alarms(OOR)) is posted to all selection process" displayed.
|
•Interfaces with alarms or OOR cannot be the part of selection process even if it has higher queue limit or priority. Use the debug platform network-clock RP command to troubleshoot network clock issues.
•Reproduce the issue using the debug platform network-clock command enabled in a route processor or enable the debug network-clock event and debug network-clock errors RP commands.
Warning We suggest you do not use these debug commands without TAC supervision.
|
Flexible QinQ Mapping and Service Awareness
Flexible QinQ Mapping and Service Awareness allows service providers to offer triple-play services, residential Internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.
The access node connects to the DSLAM through the Cisco 7600 Series ES+ line cards. This provides a flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to different services.
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards is supported only through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.
Figure 4-1 shows a typical metro architecture where the access router facing the DSLAM provides VLAN translation (selective QinQ) and grooming functionality and where the service routers (SR) provide QinQ termination into a Layer 2 or Layer 3 service.
Figure 4-1 Metro Architecture
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards provides the following functionality:
•VLAN connect with local significance (VLAN local switching)
–Single tag Ethernet local switching where the received dot1q tag traffic from one port is cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there is no MAC learning involved.
–Double tag Ethernet local switching where the received double tag traffic from one port is cross-connected to another port by changing both tags. The mapping to each double tag combination to the cross-connect is 1-to-1. There is no MAC learning involved.
–Hairpinning:It is a cross connect between two EFPS on the same port.
Note Connect service does not support identifying BPDU packets.
•Selective QinQ (1-to-2 translation)
–Cross connect—Selective QinQ adds an outer tag to the received dot1q traffic and then tunnels it to the remote end with Layer 2 switching or EoMPLS.
•Double tag translation (2-to-2 translation) Layer 2 switching—Two received tagged frames are popped and two new tags are pushed.
•Double tag termination (2-to-1 tag translation)
–Ethernet MultiPoint Bridging over Ethernet (MPBE)—The incoming double tag is uniquely mapped to a single dot1q tag that is then used to do MPBE.
–Double tag MPBE—The ingress line uses double tags in the ingress packet to look up the bridging VLAN. The double tags are popped and the egress line card adds new double tags and sends the packet out.
–Double tag routing—Same as regular dot1q tag routing except that double tags are used to identify the hidden VLAN.
•Local VLAN significance—VLAN tags are significant only to the port.
For the Cisco 7600 Series ES+ line card, the subinterface gets a hidden VLAN (a VLAN that is not configured and is allocated internally) associated to the subinterface. The hidden VLAN number has no correlation with the encapsulation VLAN (the VLAN visible to the user or in the wire). Because the encapsulation is local to the port, you can have the same encapsulation VLAN in multiple ports.
•Scalable EoMPLS VC—Single tag packets are sent across the tunnel.
•QinQ policing and QoS
•Layer 2 protocol data unit (PDU) packet
–With connect and xconnect command, the Layer 2 PDUs are forwarded transparently regardless if they are tagged or untagged.
–With bridge-domain command, if the Layer 2 PDUs are tagged, packets are dropped by default; if the Layer 2 PDUs are untagged, packets are treated per the physical port configuration. (With an untagged service instance with bridge-domain command, the CPU stops the PDU depending on the configuration). When the feature is configured on the EFP, the BPDU is passed by the EFP to the feature which makes the decision accordingly.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when configuring Flexible QinQ Mapping and Service Awareness on the Cisco 7600 Series ES+ line cards:
•Service Scalability:
–Service Instances per network processor: 8000
–Service instances per Line Card: 16000
–Service instances per port channel: 8000. This is subject to the number of members per NP. This value would reduce by the factor of the member links per NP. If the member links are spread across NPs, then the maximum number of service instances per port channel is unchanged.
–Using TCAM entries: The number of TCAMs an EVC uses depends on the encapsulation configured on the TCAM as shown in the following examples.
Example 1
service instance 1 eth
encap dot1q 100
TCAMS used - 1
Example 2
service instance 1 eth
encap dot1q 200 second dot1q 300
TCAMs used - 1
Example 3
service instance 1 eth
encap dot1q 201, 202
TCAMs used - 2 (one for each encapsulation)
Example 4
service instance 1 eth
encap dot1q 20-40
TCAMs used - 4
First entry to match vlans 20-23
Second entry to match vlans 24-31
Third entry to match vlans 32-39
Fourth entry to match vlan 40
A range does not always mean multiple TCAMs as shown in this example where only one TCAM entry is used.
Example 5
service instance 1 ethernet
encap dot1q 8-15
service instance 2 ethernet
encap dot1q 2000 second-dot1q 96-127
TCAMs used per EVC : 1
–Service instances per router: 32, 000
–Bridge-domains per router: 4, 000
–Local switching: 16, 000
–Xconnect: 16, 000
–Subinterface: 2, 000
–Number of service instance on a particular domain: 110 per NP
•QoS Scalability:
–Service instances per router: 32, 000
–Bridge-domains: 4, 000
–Local switching: 16, 000
–Xconnect: 16, 000
–Subinterface: 2, 000
•QoS Scalability:
–Shaping: Parent queue is 2,000 and child queue is 16,000
–Marking: Parent queue is 2,000 and child queue is 16,000
–Maximum number of child queues (leaf) supported for ES+T line card is 16 per port.
•Modular QoS CLI (MQC) actions supported include:
–Shaping
–Bandwidth
–Two priority queues per policy
–The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner cos command
–WRED aggregate
–Queue-limit
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. service instance id ethernet [service-name]
5. encapsulation dot1q vlan-id
6. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}}symmetric
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
service instance id ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}|
2-to-1 dot1q vlan-id | dot1ad vlan-id}|
1-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q
vlan-id}} symmetric
Example:
Router(config-if-srv)# rewrite ingress
tag push dot1q 20 symmetric
|
Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
|
Examples
Single Tag VLAN Connect
This example shows an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with a dot1q tag of 11. No MAC learning is involved.
Note Because there is a VLAN translation end to end, Layer2 protocol need to be carefuly considered. Typically, the use case has both sides on the same encapsulation.
This example shows a typical configuration of a DSLAM facing port of the first PE router.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101
Double Tag VLAN Connect
In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved.
This example shows a typical configuration of a MPLS core facting port of the first PE router..
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101
Selective QinQ with Xconnect
This configuration uses EoMPLS under the single tag subinterface to forward packets. This example shows a typical configuration of a MPLS core facting port of the second PE router.
DSLAM facing port
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60
Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect
Router(config)# interface Loopback1
Router(config-if)# ip address 1.1.1.1 255.255.255.255
MPLS core facing port
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp
MPLS core facing port
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# ip address 192.168.1.2 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp
Router(config)# interface Loopback1
Router(config-if)# ip address 2.2.2.2 255.255.255.255
CE facing EoMPLS configuration
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 1000
Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect
Selective QinQ with Layer 2 Switching
This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is the same as MPBE; only the rewrites for each service instance are different.
DSLAM facing port, single tag incoming
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 11
QinQ VLAN
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk vlan allow 11
Double Tag Translation (2-to-2 Tag Translation)
In this configuration, double-tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2 switched to the bridge domain VLAN.
QinQ facing port
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20
symmetric
Router(config-if-srv)# bridge-domain 200
QinQ VLAN
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# bridge-domain 200
Double Tag Termination (2 to 1 Tag Translation)
The configuration in this example uses the Layer 2 switching.
Double tag traffic
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 10
Router(config)# interface TenGigabitEthernet 1/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
Router(config)# interface TenGigabitEthernet 1/3
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 30
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
Verification
Use these commands to verify operation.
Command
|
Purpose
|
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]
|
Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.
|
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]
|
Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.
|
Router# show ethernet service interface [interface-id] [detail]
|
Displays information in the Port Data Block (PDB).
|
Router# show mpls l2 transport vc detail
|
Displays details of the virtual connection (VC).
|
Router# show mpls forwarding
|
Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB).
Note Output should have the label entry l2ckt.
|
Router# show connect
|
Displays statistics and other information about Frame-Relay-to-ATM Network Interworking (FRF.5) and Frame Relay-to-ATM Service Interworking (FRF.8) connections.
|
Router# show xconnect
|
Displays information about cross-connect attachment circuits and pseudowires.
|
Troubleshooting
Use these debug commands to troubleshoot Flexible QinQ feature.
Debug commands
Command
|
Purpose
|
[no] debug ethernet service evc [id <evc-id>]
|
Enables EVC debugging on the RP. If no EVC ID is specified, debugging is enabled for all EVCs on the system.
|
[no] debug ethernet service instance [id <instance-id> interface <interface-id> | interface <interface-id>]
|
Enables EFP debugging on the RP. If no options are specified, debugging for all EFPs is enabled. If an EFP ID and interface are specified, only those debug messages associated with the EFP are displayed as the output. If only an interface is specified, debug messages for all EFPs on that interface is displayed.
|
[no] debug ethernet service interface [<interface-id>]
|
Enables PDB debugging.
|
[no] debug ethernet service api
|
Enables debugging between Ethernet Services Infrastructure and its clients.
|
debug ethernet service oam-mgr
|
Enables OAM Manager debugging, to debug OAM inter-working.
|
[no] debug ethernet service error
|
Enables ethernet service error debugging.
|
[no] debug ethernet service all
|
Enables EI debugging messages for all PDBs, EVCs and EFPs
|
Table 4-4 provides the troubleshooting solutions for the Flexible mapping feature.
Table 4-4
Problem
|
Solution
|
Erroneous TCAM entries.
|
Use the show hw-module subslot subslot tcam command to verify and the TCAM entries. Share the output with TAC for further investigation.
|
Incorrect virtual VLAN IDs on a QinQ subinterface.
|
Use the test hw-mod subslot subslot command to verify the virtual VLAN ID values on a QinQ subinterface. Share the output with TAC for further investigation.
|
Wrong interface configured and tag manipulation incorrectly programmed.
|
Use the command show platform np interface detail to verfiy the interface and tag details. Share the output with TAC for further investigation.
|
VLAN ID is incorrectly programmed
|
Use the command show hw-module subslot subslot tcam all_entries vlan to verify the VLAN ID details. Share the output with TAC for further investigation.
|
Inner, outer start/end VLANs incorrectly programmed.
|
Use the show platform np efp command to verify the VLAN details. Share the output with TAC for further investigation.
|
Erroneous TCAM entries on the platform
|
Use the show plat soft qos tcamfeature and show plat soft qos tcamt commands to verify the TCAM entries. Share the output with TAC for further investigation.
|
Troubleshooting Flexible mapping feature
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
MultiPoint Bridging over Ethernet (MPBE) on Cisco 7600 Series ES+ line cards provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.
For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain traffic packets from one service instance to another. Filtering occurs before and after the rewrite to ensure that the packet goes only to the intended service instance.
You can use MPBE to:
•Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and Layer 2 bridging on the same physical port.
•Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can be in the same physical port or in different ports.
•Configure multiple service instances with different encapsulations and map them to a single bridge domain.
•Perform local switching between service instances under the same bridge domain.
•Perform local switching across different physical interfaces using service instances that are part of the same bridge domain.
•Replicate flooded packets from the core to all service instances under the bridge domain.
•Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain VLAN.
MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:
•Single tag termination
•Single tag tunneling
•Single tag translation
•Double tag termination
•Double tag tunneling
•Double tag translation
•Selective QinQ translation
Restrictions and Usage Guidelines
When configuring the MPBE over Ethernet on Cisco 7600 Series ES+ line cards, follow these restrictions and usage guidelines:
•Each service instance is considered as a separate circuit under the bridge-domain.
•Encapsulation can be dot1q or QinQ packets.
•440 MPB VCs are supported under one bridge-domain (110 per network processor).
•IGMP snooping is supported with MPB VCs as long as the service instance is terminated on the bridge-domain (must pop all tags, symmetric).
•Split Horizon is supported with MPB VCs.
•Untagged BPDU packets can be peered, dropped, or forwarded as data.
•Tagged BPDU packets can be dropped or forwarded as data.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. [no] service instance id {Ethernet [service-name]}
5. encapsulation dot1q vlan-id [second-dot1q vlan-id]
6. [no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
7. [no] bridge-domain bridge-id
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
[no] service instance id {Ethernet
[service-name]}
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
[second-dot1q vlan-id]
Example:
Router(config-if-srv)# encapsulation
dot1q 10
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
[no] rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}|
2-to-1 dot1q vlan-id | dot1ad vlan-id}|
1-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q
vlan-id}} symmetric
Example:
Router(config-if-srv)# rewrite ingress
tag push dot1q 200 symmetric
|
This command specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
Note If this command is not configured, then the frame is left intact on ingress (the service instance is equivalent to a trunk port).
|
Step 7
|
[no] bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Examples
Single Tag Termination Example
In this example, the single tag termination identifies customers based on a single VLAN tag and maps the single-VLAN tag to the bridge-domain.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 12
Single Tag Tunneling Example
In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the packet.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 200
Single Tag Translation Example
In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to the packet.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 3/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric
Router(config-if-srv)# bridge-domain 200
Double Tag Tunneling Example
In this double tag tunneling example, the incoming VLAN tags are not removed but continue with the packet.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# bridge-domain 200
Double Tag Termination Configuration Example
In this double-tag termination example, the ingress receives double tags that identify the bridge VLAN; the double tags are stripped (terminated) from the packet.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10 inner 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2
Router(config-if-srv)# encapsulation dot1q 40 inner 30
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 200
Double-Tag Translation Configuration Example
In this example, double tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer-2-switched to the bridge-domain VLAN.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30
symmetric
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 30
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20
symmetric
Router(config-if-srv)# bridge-domain 200
Selective QinQ Configuration Example
In this example, a range of VLANs is configured and plugged into a single MPB VC.
Router# configure terminal
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 200
Router(config)# interface TenGigabitEthernet 2/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 200
Untagged Traffic Configuration Example
In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation untagged
Router(config-if-srv)# bridge-domain 11
Router(config)# interface TenGigabitEthernet 1/1
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 11
MPBE with Split Horizon Configuration Example
In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from which the traffic originated.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# no ip address
Router(config-if)# service instance 1000 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20
Router(config-if-srv)# bridge-domain 100 split-horizon
Router(config-if)# service instance 1001 ethernet
Router(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30
Router(config-if-srv)# bridge-domain 101 split-horizon
Router(config-if)# service instance 1010 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10
second-dot1q 100 symmetric
Router(config-if-srv)# bridge-domain 10 split-horizon
Router(config-if)# mls qos trust dscp
In this example, service instances are configured on Ethernet interfaces and terminated on the bridge domain.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 1000
Router(config-if-srv)# bridge-domain 10
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 10
Verification
Use these commands to verify operation.
Command
|
Purpose
|
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]
|
Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC.
|
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]
|
Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface.
|
Router# show ethernet service interface [interface-id] [detail]
|
Displays information in the Port Data Block (PDB).
|
Router# show ethernet service instance summary
|
Displays the overall count for service instance as well as the service instance count for individual interfaces.
|
Backup Interface for Flexible UNI
The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices.
You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs are designated as primary and backup and have identical configurations. If the primary interface fails, the service is automatically transferred to the backup interface.
Figure 4-2 shows an example of how Flexible UNIs can be used when the Cisco 7600 series router is configured as a dual-homed N-PE (NPE1) and as a dual-homed U-PE (UPE2).
Figure 4-2 Backup Interface for Dual-Homed Devices
Note The configurations on the primary and backup interfaces must be identical.
The primary interface is the interface for which you configure a backup. During operation, the primary interface is active and the backup (secondary) interface operates in standby mode. If the primary interface goes down (due to loss of signal), the router begins using the backup interface.
While the primary interface is active (up) the backup interface is in standby mode. If the primary interface goes down, the backup interface transitions to the up state and the router begins using it in place of the primary. When the primary interface comes back up, the backup interface transitions back to standby mode. While in standby mode, the backup interface is effectively down and the router does not monitor its state or gather statistics for it.
This feature provides the following benefits:
•Supports the following Ethernet virtual circuit (EVC) features:
–Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged).
–Frame rewrite: Any supported (ingress and egress with push, pop, and translate).
–Frame forwarding: MultiPoint Bridging over Ethernet (MPBE), xconnect, connect.
–Quality of Service (QoS) on EVC.
•Supports Layer 3 (L3) termination.
•Supports several types of uplinks: MultiProtocol Label Switching (MPLS), Virtual Private LAN Service (VPLS), and switchports.
The Backup Interface for Flexible UNI feature makes use of these Ethernet components:
•Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network. For more information about EVCs, see the "Troubleshooting" section.
•Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface. An EVC that uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of every device that the EVC passes through.
Restriction and Usage Guidelines
Observe these restrictions and usage guidelines as you configure a backup interface for Flexible UNI on the router:
•Hardware and software support:
–Supported on Cisco 7600 Series ES+ and ES20 line cards.
–Supported with the Route Switch Processor 720 and Supervisor Engine 720.
–Requires Cisco IOS Release 12.2(33)SRD or later.
•You can use the same IP address on both the primary and secondary interfaces. This enables the interface to support L3 termination (single or double tagged).
•The configurations on the primary and backup interfaces must match. The router does not check that the configurations match; however, the feature does not work if the configurations are not the same.
Note If the configuration includes the xconnect command, you must specify a different VCID on the primary and backup interfaces.
•The duplicate resources needed for the primary and secondary interfaces are taken from the total resources available on the router and thus affect available resources. For example, each xconnect command consumes resources on both the primary and backup interfaces.
•Any features configured on the primary and backup interfaces (such as bridge-domain, xconnect, and connect commands) transition up or down as the interface itself transitions between states.
•Switchover time between primary and backup interfaces is best effort. The time it takes the backup interface to transition from standby to active mode depends on the link-state detection time and the amount of time needed for EVCs and their features to transition to the up state.
•Configuration changes and administrative actions made on the primary interface are automatically reflected on the backup interface.
•The router monitors and gathers statistics for the active interface only, not the backup. During normal operation, the primary interface is active; however, if the primary goes down, the backup becomes active and the router begins monitoring and gathering statistics for it.
•When the primary interface comes back up, the backup interface always transitions back to standby mode. Once the signal is restored on the primary interface, there is no way to prevent the interface from being restored as the primary.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type slot/port
4. backup interface type interface
Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the "Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards" section and the "Configuring Any Transport over MPLS" section.
5. (Optional) backup delay enable-delay disable-delay
6. (Optional) backup load enable-percent disable-percent
7. exit
8. (Optional) connect primary interface srv-inst interface srv-inst
9. (Optional) connect backup interface srv-inst interface srv-inst
10. (Optional) connect primary interface srv-inst1 interface srv-inst2
11. (Optional) connect backup interface srv-inst1 interface srv-inst2
12. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
Router(config)# interface type slot/port
Example:
Router(config)# interface gigabitethernet 3/1
|
Selects the primary interface. This is the interface you are creating a backup interface for. For example, interface gigabitEthernet 3/1 selects the interface for port1 of the Gigabit Ethernet card installed in slot 3.
•type specifies the interface type. Valid values are gigabitethernet or tengigabitethernet.
•slot/port specifies the location of the interface.
|
Step 4
|
Router(config-if)# backup interface type
interface
Example:
Router(config)# backup interface
gigabitethernet 4/1
|
Selects the interface to serve as a backup interface.
|
Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the "Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards" section and the "Configuring Any Transport over MPLS" section.
|
Step 5
|
Router(config-if)# backup delay enable-delay
disable-delay
Example:
Router(config-if)# backup delay 0 0
|
(Optional) Specifies a time delay (in seconds) for enabling or disabling the backup interface.
•enable-delay is the amount of time to wait after the primary interface goes down before bringing up the backup interface.
•disable-delay is the amount of time to wait after the primary interface comes back up before restoring the backup interface to the standby (down) state
Note For the backup interface for Flexible UNI feature, do not change the default delay period (0 0) or the feature may not work correctly.
|
Step 6
|
Router(config-if)# backup load enable-percent
disable-percent
Example:
Router(config-if)# backup load 50 10
|
(Optional) Specifies the thresholds of traffic load on the primary interface (as a percentage of the total capacity) at which to enable and disable the backup interface.
•enable-percent—Activate the backup interface when the traffic load on the primary exceeds this percentage of its total capacity.
•disable-percent—Deactivate the backup interface when the combined load of both primary and backup returns to this percentage of the primary interface's capacity.
Applying the settings from the example to a primary interface with 10-Mbyte capacity, the router enables the backup interface when traffic load on the primary exceeds 5 mb (50%), and disables the backup when combined traffic on both interfaces falls below 1 Mbyte (10%).
|
Step 7
|
exit
Example:
Router(config-if)# exit
|
Exits interface configuration mode and returns to global configuration mode.
|
Step 8
|
Router(config)# connect primary interface
srv-inst interface srv-inst
Example:
Router(config-if)# connect primary gi3/2 gi3/3
|
(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces.
The connect primary command creates a connection between primary interfaces.
|
Step 9
|
Router(config)# connect backup interface
srv-inst interface srv-inst
Example:
Router(config-if)# connect backup gi4/2 gi4/2
|
(Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces.
The connect backup command creates a connection between backup interfaces.
|
Step 10
|
Router(config)# connect primary interface
srv-inst1 interface srv-inst2
Example:
Router(config-if)# connect primary gi3/2 gi3/3
|
(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect primary command to create a connection on a primary interface.
|
Step 11
|
Router(config)# connect backup interface
srv-inst1 interface srv-inst2
Example:
Router(config-if)# connect backup gi4/2 gi4/3
|
(Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect backup command to create a connection on a backup interface.
|
Step 12
|
exit
Example:
Router(config-if)# exit
|
Exits interface configuration mode.
|
Note If you have configured any interface (L3, Switchport, or EVC) using the backup interface command, then you are not supposed to run the shutdown command on the active interface. If you run shutdown, then the standby interface will also go down.
The following example shows a sample configuration in which:
•gi3/1 is the primary interface and gi4/1 is the backup interface.
•Each interface supports two service instances (2 and 4), and each service instance uses a different type of forwarding (bridge-domain and xconnect).
•The xconnect command for service instance 2 uses a different VCID on each interface.
Router# configure terminal
Router(config)# interface gi3/1
Router(config-if)# backup interface gi4/1
Router(config-if)# service instance 4 ethernet
Router(config-if-srv)# encapsulation dot1q 4
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 4
Router(config-if-srv)# exit
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 10.0.0.0 2 encap mpls
Router(config)# interface gi4/1
Router(config-if)# service instance 4 ethernet
Router(config-if-srv)# encapsulation dot1q 4
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 4
Router(config-if-srv)# exit
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 10.0.0.0 5 encap mpls
Verification
This section lists the commands to display information about the primary and backup interfaces configured on the router. In the examples that follow, the primary interface is gi3/1 and the secondary (backup) interface is gi3/11.
•To display a list of backup interfaces, use the show backup command in privileged EXEC mode. Our sample output shows a single backup (secondary) interface:
Primary Interface Secondary Interface Status
----------------- ------------------- ------
GigabitEthernet 3/1 GigabitEthernet 3/11 normal operation
•To display information about a primary or backup interface, use the show interfaces command in privileged EXEC mode. Issue the command on the interface for which you want to display information. The following examples show the output displayed when the command is issued on the primary (gi3/1) and backup (gi3/11) interfaces:
Router# show interface gi3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet 3/11, failure delay 0 sec, secondary disable delay
0 sec, kickin load not set, kickout load not set
Router# show interface gi3/11
GigabitEthernet3/11 is standby mode, line protocol is down (disabled)
If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as shown in the command output that follows. Notice how the command output changes if you reissue the show backup and show interfaces commands at this time: the show backup status changes, the line protocol for gi3/1 is now down (notconnect), and the line protocol for gi3/11 is now up (connected).
Router# !!! Link gi3/1 (active) goes down...
22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down
22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/11, changed state to up
22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1,
changed state to down
22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/11,
changed state to up
Primary Interface Secondary Interface Status
----------------- ------------------- ------
GigabitEthernet3/1 GigabitEthernet3/11 backup mode
Router# show interface gi3/1
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0
sec,
Router# show interface gi3/11
GigabitEthernet3/11 is up, line protocol is up (connected)
Example
Figure 4-3 shows a sample configuration of a backup interface for Flexible UNI. The configuration includes several EVCs (service instances), configured as follows:
•Service instance 4 is configured on primary and backup interfaces (links) that terminate in a bridge domain, with a VPLS uplink onto network provider edge NPE12.
•Service instance 2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS on NPE12.
Figure 4-3 Backup Interface for Flexible UNI Configuration
This is the configuration at NPE10:
description npe10 to npe11 gi3/11 - backup - bridged
ip address 100.4.1.33 255.255.255.0
description npe10 to npe11 gi3/11 - backup - xconnect
ip address 100.2.1.33 255.255.255.0
This is the configuration at NPE14:
description npe14 to npe11 gi3/1 - primary - bridged
ip address 100.4.1.22 255.255.255.0
description npe14 to npe11 gi3/1 - primary - xconnect
ip address 100.2.1.22 255.255.255.0
This is the configuration at 72a, at the user-facing provider edge (U-PE):
description 72a to npe12 - bridged
ip address 100.4.1.12 255.255.255.0
description 72a to npe12 - xconnect
ip address 100.2.1.12 255.255.255.0
This is the configuration at NPE11:
interface gigabitEthernet 3/1
backup interface gigabitEthernet 3/11
service instance 2 ethernet
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 2 encapsulation mpls
service instance 4 ethernet
rewrite ingress tag pop 1 symmetric
interface gigabitEthernet 3/11
service instance 2 ethernet
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 21 encapsulation mpls
service instance 4 ethernet
rewrite ingress tag pop 1 symmetric
This is the configuration at NPE12:
description npe11 to npe12
ip address 10.3.3.1 255.255.255.0
neighbor 12.0.0.1 4 encapsulation mpls
neighbor 11.0.0.1 4 encap mpls
description npe12 to npe11 xconnect
neighbor 11.0.0.1 2 encap mpls
neighbor 11.0.0.1 21 encap mpls
description npe12 to npe11
ip address 10.3.3.2 255.255.255.0
interface fastEthernet 8/2
switchport trunk encap dot1q
switchport trunk allowed vlan 2-4
The primary interface is enabled:
Primary interface Secondary interface Status
--------------------------------------------
GigabitEthernet3/1GigabitEthernet3/11 normal operation
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0
sec,kicking load not set, kickout load not set,
NPE-11# show interface gi3/11
GigabitEthernet 3/11 is standby mode, line protocol is down (disabled)
The primary link is disabled:
NPE 11#!!!Link gi3/1 (active) goes down
22:11:11: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to down
22:11:12: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to up
22:11:12: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/1,
changed state to down
22:11:13: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/11,
changed state to up
Primary interface Secondary interface Status
--------------------------------------------
GigabitEthernet3/1GigabitEthernet3/11 backup mode
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec
GigabitEthernet 3/11 is up, line protocol is up (connected)
Troubleshooting
Table 4-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature.
Table 4-5 Troubleshooting Scenarios for backup interface of the Flexible UNI feature
Problem
|
Solution
|
The backup interface is in a standby state or the line protocol is down
|
Use the show interfaces command on the specific interface in privileged EXEC mode to display interface and line protocol details. Share the output with TAC for further investigation.
This sample output of the command is displayed when the command on the primary (gi3/0/0) and backup (gi3/0/11) interfaces:
NPE-11# show int gi3/0/0
GigabitEthernet3/0/0 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay
0 sec, kickin load not set, kickout load not set
[...]
NPE-11# show int gi3/0/11
GigabitEthernet3/0/11 is standby mode, line protocol is down (disabled)
|
EVC On Port-Channel
An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links.The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see Configuring EtherChannels at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types.
Load balancing is accomplished on a Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links. In a default load balancing, you have no control over how the EFPs are grouped together, and sometimes the EFP grouping may not be ideal. To avoid this, use manual load balancing to control the EFP grouping.
Restrictions and Usage Guidelines
When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
•All member links of the port-channel are on Cisco 7600-ES+ line cards.
•Bridge-domain, xconnect, connect EVCs, switchports, and IP subinterfaces are allowed over the port-channel interface and the main interface.
•The EFP limit decreases with the number of member links on the NP. For instance, if there are 4 members within the same NP, the EVC limit on the NP decreases to 2000, that is (8000/4).
Note For a switchport (not for data traffic), use the service instance ethernet command to create a service instance to support OAM requirements.
•If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.
•A physical port that is part of an EVC port-channel cannot have switchport configuration.
•Total number of port channels EVCs per box is 16000.
•Statically configuring port-channel membership with LACP is not supported.
•You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS.
•You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policy-maps or in parent of HQoS policy-maps.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel number
4. [no] ip address
5. [no] service instance id Ethernet [service-name]
6. encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}
7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
8. [no] bridge-domain bridge-id or xconnect vfi vfi name
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface port-channel number
Example:
Router(config)# interface port-channel
11
|
Creates the port-channel interface.
|
Step 4
|
[no] ip address
Example:
Router(config-if)# no ip address
|
Assigns a subnet mask to the ethernet channel.
|
Step 5
|
[no] service instance id Ethernet
[service-name}
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 6
|
encapsulation {default|untagged|dot1q
vlan-id [second-dot1q vlan-id]}
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 7
|
rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}|
2-to-1 dot1q vlan-id | dot1ad vlan-id}|
1-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q
vlan-id}} symmetric
Example:
Router(config-if-srv)# rewrite ingress
tag push dot1q 20 symmetric
|
Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
|
Step 8
|
[no] bridge-domain bridge-id
or
xconnect vfi vfi name
Example:
Router(config-if-srv)# bridge-domain 12
|
The bridge-domain command binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
The xconnect command specifies the Layer 2 VFI that you are binding to the VLAN port.
|
Examples
This example shows a single port-channel interface is created with three possible member links from slots 1 and 2:
Router# configure terminal
Router(config)# interface Port-channel5
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# channel-group 5 mode on
This example shows scalable Eompls and EVC connect sample configuration.
Router#configure terminal
Router(config)#interface GigabitEthernet 3/0/0
Router(config-if)#service instance 10 ethernet
Router(config-srv)#encapsulation dot1q 20
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config-if-srv)#exit
Router(config)#interface GigabitEthernet 3/0/1
Router(config-if)#service instance 12 ethernet
Router(config-srv)#encapsulation dot1q 30
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config-if-srv)#exit
Router(config)#connect TEST GigabitEthernet 3/0/0 10 GigabitEthernet 3/0/1 12
ID Name Segment 1 Segment 2 State
================================================================================
57 TEST Gi3/0/0:10 Gi3/0/1:12 UP
This is a typical QoS configuration.
Router# configure terminal
Router(config)# interface port-channel10
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
Router(config-if-srv)# bridge-domain 1500
se the following commands to verify the configuration.
Command
|
Purpose
|
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]
|
Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC.
|
Router# show ethernet service instance interface port-channel number [summary]
|
Displays the summary of all the configured EVCs within the interface.
|
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]
|
Displays information about one or more service instances. If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface.
|
Router# show mpls l2 transport vc detail
|
Displays detailed information related to the virtual connection (VC).
|
Router# show mpls forwarding
|
Displays the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base (LFIB).
Note Output should have the label entry l2ckt.
|
Router# show etherchannel summary
|
Displays view all EtherChannel groups states and ports.
|
Router# show policy-map interface service instance
|
Displays the policy-map information for a given service instance.
|
Troubleshooting
Table 4-6 provides the troubleshooting solutions for the EVC on a Port-Channel.
Table 4-6 Troubleshooting Scenarios for EVC on a Port-Channel
Problem
|
Solution
|
Port data block issues in port channel
|
Use the show ethernet service interface [interface-id] [detail] command to view information on the port data. Share the output with TAC for further investigation.
|
Issues with platform events or errors
|
Use the debug platform npc custom-ether client [event, error] command to debug and trace platform issues. Share the output with TAC for further investigation.
|
Configuring SPAN on EVC
Currently, traffic mirroring, lawful intercept, or Switched Port Analyzer (SPAN) on a per service instance is unavailable.
The existing command line interface supports configuring interface and VLAN as the local SPAN source. The same command line interface is enhanced to accept service instance IDs along with the interface. Since an EVC is support only for the local session SPAN, service instance options for the SPAN source are added in the local SPAN configuration submode.
You configure SPAN to intercept traffic in three ways:
•SPAN on Port: The traffic on all EVCs on the port or port channel is included for a SPAN session along with routed traffic on that port.
•SPAN on VLAN: The traffic on all EVC bridge-domains with the same VLAN is included for a SPAN session along with other switchports on the same VLAN.
•SPAN on EVC: The traffic on a given EFP or a set of EFPs is included for a SPAN session.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring SPAN on EVC, follow these restrictions and usage guidelines:
•Only Local SPAN is supported.
•EVC SPAN is effective only if the EVC is on the ES+ line card.
•EVC as a SPAN destination is not supported.
•Egress SPAN packet does not undergo QoS processing.
•If a combination of switchports and EVC bridge-domain exists, then for flood case packet on both is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
•If a combination of different EVC bridge-domain exists, then for flood case packet on all the EVCs is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
•EVC SPAN does not work with multiple destination ports.
•For EVCs configured as a part of more than one SPAN session (EVC, VLAN, or port), traffic is monitored on only one session.
•EFPs and VLAN cannot be configured as source in the same monitor session.
•For a 10G port, the aggregate of ingress traffic and SPAN traffic cannot exceed 10G.
•For a 10G port with port-shaper, the aggregate of port traffic and SPAN traffic cannot exceed the port-shaper.
•For a 1G port, the total SPAN traffic can be as high as 10G, but due to network processor limitations and fabric bottleneck, the net traffic can be reduced.
Configuring SPAN on EVC
Complete the following steps to configure SPAN on EVC.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel number
4. [no] ip address
5. [no] service instance id Ethernet [service-name]
6. encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}
7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
8. exit
9. monitor session local_span_session_number type [local | local-tx]
10. source {interface | service instance | vlan}{GigabitEthernet |Port-channel | TenGigabitEthernet} [rx | tx | both]
11. destination interface{GigabitEthernet |Port-channel | TenGigabitEthernet}
12. [no] shutdown
13. end
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
|
Enables privileged EXEC mode. Enter your password if prompted.
|
Step 2
|
configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface port-channel number
|
Creates the port-channel interface.
|
Step 4
|
[no] ip address
|
Assigns a subnet mask to the ethernet channel.
|
Step 5
|
[no] service instance id Ethernet [service-name}
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device to the ethernet service configuration submode.
|
Step 6
|
encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}
|
Defines the matching criteria to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 7
|
rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
|
Specifies the tag manipulation on the frame ingress to the service instance.
|
Step 8
|
exit
|
Exits to global configuration mode.
|
Step 9
|
monitor session local_span_session_number type [local | local-tx]
|
Configures a monitor session using a SPAN session number and enters the SPAN session configuration mode.
|
Step 10
|
source {interface | service instance |
vlan}{GigabitEthernet |Port-channel |
TenGigabitEthernet} [rx | tx | both]
|
Associates the SPAN session number with source ports, VLANs, or EVC, and selects the traffic direction to be monitored.
|
Step 11
|
destination interface{GigabitEthernet
|Port-channel | TenGigabitEthernet}
|
Associates the SPAN session number with the destinations.
|
Step 12
|
no shutdown
|
Activates the SPAN session.
|
Step 13
|
end
|
Exits configuration mode.
|
Sample Configuration
This is an example for configuring SPAN on EVC.
Router# configure terminal
Router(config)# interface port-channel 11
Router(config-if)# no ip address
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 13
Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric
Router(config-if-srv)# exit
Router(config)# monitor session 1 type local
Router(config-mon-local)# source service instance 2 - 100 Port-channel 1 both
Router(config-mon-local)# destination interface Port-channel 3
Router(config-mon-local)# no shut
Router(config-mon-local)# end
Verifying SPAN on EVC
This section provides the commands to verify the SPAN configuration.
Router# show monitor session 1
Router# show run | section monitor
monitor session 1 type local
source service instance 2 - 100 Port-channel1
destination interface Po3
Troubleshooting
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Information About ERSPAN on EVC
Cisco 7600 routers support the Encapsulated Remote Switched Port Analyzer (ERSPAN) feature on a per service instance basis. It is the Ethernet Virtual Circuits (EVC) infrastructure that supports remote monitoring and troubleshooting on a per service instance basis. ERSPAN on EVC is supported on ES+ line cards.
Interception of traffic on EVC can be configured in the following ways:
•ERSPAN on Port: The configuration includes traffic on EVCs, switchports and routed traffic on the port.
•ERSPAN on VLAN: The configuration includes traffic on all EVC BDs in the box (on port or port channel) with the same VLAN for a SPAN session along with other switch ports on the same VLAN.
•ERSPAN on EVC: The configuration includes traffic on a given EFP or a set of EFPs (on port or port channel) for a SPAN session.
SPAN, sometimes called port mirroring or port monitoring, allows network traffic to be analyzed by a network analyzer such as a Cisco Switch Probe or other Remote Monitoring (RMON) probes. SPAN lets you monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports where the network analyzer is attached.
ERSPAN monitors traffic on multiple network devices across an IP network, and sends that traffic in an encapsulated envelope to destination analyzers. ERSPAN can be used to monitor traffic remotely.
ERSPAN monitors ingress, egress, or both kinds of network traffic. Encapsulated ERSPAN packets are routed from a host through the routed network to the destination device where they are decapsulated and forwarded to the attached network analyzer. The destination may also be on the same Layer 2 or Layer 3 network as the source.
ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE encapsulated traffic, and an ERSPAN destination session.
EVCs define a Layer 2 bridging architecture that supports Ethernet services. EVC supports service convergence over Ethernet. An EVC is a conceptual service pipe within a service provider network. Metro-Ethernet Forum (MEF) defines EVC as an association between two or more user network interfaces that identifies a point-to-point or multipoint-to-multipoint path within the service provider network.
EVC is the device local object (container) for network-wide service parameters and provides one-to-many mapping from EVC to Service Instance. Its support extends to a mix of Layer 2 and Layer 3 services on the same physical port.
EVC allows routers to reach multiple intranet and extranet locations from a single physical port. Routers see subinterfaces through which they access other routers.
Bridge Domain (BD) is the Ethernet Broadcast Domain local to a device. It exists separately from VLANs. BD provides a one-to-many mapping from BD to service instances.
An Ethernet service instance is a transport-agnostic abstraction of an Ethernet service on an interface. A service instance classifies frames belonging to a particular Ethernet service. It applies features selectively to service frames, and defines forwarding actions and behavior.
Restrictions for ERSPAN on EVC Configuration
•EVC ERSPAN is effective only if the EVC is on an ES+ line card.
•EVC is not supported as ERSPAN destination.
•Egress ERSPAN packets do not undergo QoS processing.
•For egress SPAN configurations with a VLAN as the source, where the VLAN is also part of BD and switchport for the router, all traffic that goes on the VLAN is replicated and spanned.
•Many service instances having the same BD results in a mix of BDs. In such situations, for egress SPAN configurations with VLAN as source, there is random selection and spanning. All EVCs are not spanned; single EVCs are randomly selected and spanned.
•Existing implementations restrict the configuring of SPAN source as both interface and VLANs. The same restriction applies to EFP configurations. If the SPAN source is VLAN, then the interface or EFP cannot be the source.
•Encapsulation requires a dedicated tunnel. When egress monitored traffic moves out of the tunnel interface to the remote router it allows no other traffic on the router.
Configuring the Source Session for ERSPAN on EVC
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example
|
Enables the privileged EXEC mode. Enter your password, if prompted.
|
Step 2
|
configure terminal
Example
rtr1# configure terminal
|
Enters the global configuration mode.
|
Step 3
|
monitor session session number type erspan-source
Example
rtr1(config)#monitor session 1 type
erspan-source
|
Configures an ERSPAN source session number, and enters the ERSPAN source session configuration mode for the session.
|
Step 4
|
service instance range of EFPs interface source interface
Example
rtr1(config-mon-erspan-src)#source
service instance 1 - 12
GigabitEthernet9/1
|
Configures the service instance range, and specifies the sub-interface with slot and port number.
Creates a service instance (an instantiation of an EVC) on an interface, and sets the device into the service instance submode.
|
Step 5
|
no shutdown
Example
rtr1(config-mon-erspan-src)#no shutdown
|
Enables the ERSPAN session, and saves it in the running configuration.
By default, the session is created in the shut state.
|
Step 6
|
destination
Example
rtr1(config-mon-erspan-src)#destination
|
Enters the ERSPAN source session destination configuration mode, and associates the SPAN session number with the destination.
|
Step 7
|
ip address ip address
Example
rtr1(config-mon-erspan-src-dst)#ip
address 40.40.40.2
|
Configures the ERSPAN flow destination IP address, which must also be configured on an interface on the destination router and be entered in the ERSPAN destination session configuration.
|
Step 8
|
origin ip address ip address
Example
rtr1(config-mon-erspan-src-dst)#origin
ip address 10.10.10.10
|
Configures the encapsulated packet Layer 3 source address.
|
Step 9
|
erspan-id erspan identifier
Example
rtr1(config-mon-erspan-src-dst)#erspan-
id 100
|
Adds an ERSPAN ID to the session configuration. Configures the ID number used by the source and the destination sessions to identify the ERSPAN traffic.
This number is unique and within the limits permitted. It is identical for the source and the destination.
|
Step 10
|
end
Example
rtr1(config-mon-erspan-src-dst)#end
|
Exits the configuration mode.
|
Configuration Examples for ERSPAN on EVC Source Session
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
Note If the configurations exclude TX or RX, ERSPAN monitors both ingress and egress traffic.
The configuration examples for ERSPAN source session for ingress and egress traffic are as follows:
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1 TX
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 GigabitEthernet9/1 RX
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
The following examples show ERSPAN on port channel configurations:
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
ERSPAN on Port-channel(tx)
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1 tx
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
rtr1(config)#monitor session 1 type erspan-source
rtr1(config-mon-erspan-src)#source service instance 1 - 12 port-channel 1 rx
rtr1(config-mon-erspan-src)#no shutdown
rtr1(config-mon-erspan-src)#destination
rtr1(config-mon-erspan-src-dst)#ip address 40.40.40.2
rtr1(config-mon-erspan-src-dst)#origin ip address 10.10.10.10
rtr1(config-mon-erspan-src-dst)#erspan-id 100
rtr1(config-mon-erspan-src-dst)#end
Configuring the Destination Session for ERSPAN on EVC
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example
|
Enables the privileged EXEC mode. Enter your password if prompted.
|
Step 2
|
configure terminal
Example
rtr3# configure terminal
|
Enters the global configuration mode.
|
Step 3
|
monitor session session number type erspan-destination
Example
rtr3(config)#monitor session 1 type
erspan-destination
|
Configures an ERSPAN destination session number, and enters the ERSPAN destination session configuration mode for the session.
|
Step 4
|
destination interface interface slot/port
Example
rtr3(config-mon-erspan-dst)#destination
interface GigabitEthernet7/19
|
Enters the ERSPAN destination session destination configuration mode, associates the SPAN session number with the destination, and specifies the sub-interface with slot and port number.
|
Step 5
|
no shutdown
Example
rtr3(config-mon-erspan-dst)#no shutdown
|
Enables the ERSPAN session and saves it in the running configuration.
By default, the session is created in the shut state.
|
Step 6
|
source
Example
rtr3(config-mon-erspan-dst)#source
|
Enters the ERSPAN destination session source configuration mode.
|
Step 7
|
ip address ip address
Example
rtr3(config-mon-erspan-dst-src)#ip
address 40.40.40.2
|
Configures the ERSPAN flow destination IP address, which must also be configured on an interface on the destination router, and entered in the ERSPAN destination session configuration.
|
Step 8
|
erspan-id erspan identifier
Example
rtr3(config-mon-erspan-dst-src)#erspan-
id 100
|
Adds an ERSPAN ID to the session configuration. Configures the ID number used by the source and destination sessions to identify the ERSPAN traffic.
This number is unique and within the prescribed limits. It is identical for the source and the destination.
|
Step 9
|
end
Example
rtr3(config-mon-erspan-dst-src)#end
|
Exits the configuration mode.
|
ERSPAN on EVC: Destination Session Configuration Example
rtr3(config)#monitor session 1 type erspan-destination
rtr3(config-mon-erspan-dst)#destination interface GigabitEthernet7/19
rtr3(config-mon-erspan-dst)#no shutdown
rtr3(config-mon-erspan-dst)#source
rtr3(config-mon-erspan-dst-src)#ip address 40.40.40.2
rtr3(config-mon-erspan-dst-src)#erspan-id 100
rtr3(config-mon-erspan-dst-src)#end
Verification of ERSPAN on EVC Configuration
Use the following command to verify the ERSPAN on EVC configurations:
show monitor session all
Verification Example for ERSPAN on EVC
rtr1#show monitor session all
Type : ERSPAN Destination Session
Source IP Address : 1.1.1.1
LACP Support for EVC Port Channel
An Ethernet link bundle or port-channel is an aggregation of up to eight physical Ethernet links to form a single logical link for L2/L3 forwarding. Bundled Ethernet ports are used to increase the capacity of the logical link and provide high availability and redundancy. The EVC EtherChannel feature provides support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3 LAN ports, see "Configuring EtherChannels" at http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types. IEEE 802.3ad/Link Aggregation Control Protocol (LACP) provides an association of port-channels. The LACP support for EVC Port Channel feature supports service instances over bundled Ethernet links.
Ethernet flow points (EFPs) are configured under a port-channel. The traffic, carried by the EFPs, is load-balanced across member links. EFPs under a port-channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for an EFP uses only one of the member links. Load balancing is achieved by grouping EFPs and assigning them to a member link.
The scalability for a link-bundling EVC is 16000 per chassis. Port Channel EVC scalability for ES+ line cards is dependent on the same factors as EVCs configured under physical interfaces, with the number of member links and their distribution across the NPU as an additional parameter. EVC port-channel QoS leverages EVC QoS infrastructure. For more information on the scalable values, see Restrictions and Usage Guidelines.
Restrictions and Usage Guidelines
When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
•All member links of the port-channel are on Cisco 7600-ES+ line cards.
•Only bridge-domain, xconnect, connect EVCs, and IP subinterfaces are allowed over the port-channel interface. You cannot apply a switchport and EVC configuration under the same port-channel interface.
•If you configure a physical port as part of a channel group, you cannot configure EVCs under that physical port.
•A physical port that is part of an EVC port-channel cannot have switchport configuration.
•You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow policing is not supported. For more information on configuring QoS with EVCs, see Configuring QoS.
•You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat policy-maps or in parent of HQoS policy-maps.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel
4. [no] ip address
5. service instance id Ethernet [service-name]
6. encapsulation dot1q vlan-id
7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
8. [no] bridge-domain bridge-id
9. interface gigabitethernet slot/port
10. channel-protocol {lacp | pagp}
11. channel-group channel-group-number mode {active | on | passive}
Note The channel-group command options are applicable when configuring port-channel over EVC and the options active/passive are applicable when configuring port-channel over EVC with LACP.
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface port-channel number
Example:
Router(config)# interface port-channel
12
|
Creates the port-channel interface.
|
Step 4
|
[no] ip address
Example:
Router(config-if)# no ip address
|
Assigns a subnet mask to the EtherChannel.
|
Step 5
|
[no] service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 6
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 7
|
rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}|
2-to-1 dot1q vlan-id | dot1ad vlan-id}|
1-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q
vlan-id}} symmetric
Example:
Router(config-if-srv)# rewrite ingress
tag push dot1q 20 symmetric
|
Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
|
Step 8
|
[no] bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 9
|
interface gigabitethernet slot/port
Example:
Router (config) # interface gig 5/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 10
|
channel-protocol {lacp | pagp}
Example:
Router(config-if)# channel-protocol
lacp
|
Sets the protocol that is used on an interface to manage channeling.
|
Step 11
|
channel-group channel-group-number mode
{active | on | passive}
Example:
Router(config-if)# channel-group 5 mode
active
|
Assigns and configures an EtherChannel interface to an EtherChannel group.
|
Examples
In this example, a single port-channel interface is created with three possible member links from slots 1 and 2:
Router# configure terminal
Router(config)# interface Port-channel5
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 350
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 350
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 400
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 350
Router(config-if)# service instance 3 ethernet
Router(config-if-srv)# encapsulation dot1q 500
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 370
Router# configure terminal
Router(config)# interface Port-channel5.1
Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300
Router(config-if)# ip address 60.0.0.1 255.0.0.0
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
Router(config)# interface GigabitEthernet 1/3
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
This is a typical QoS configuration.
Router# configure terminal
Router(config)# interface port-channel10
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
Router(config-if-srv)# bridge-domain 1500
This is configuration for LACP over a configured EVC port-channel, under an interface:
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode ?
Router(config-if)# channel-group 5 mode active
Router(config-if)# channel-group 5 mode passive
This is a port-channel configuration:
Router# configure terminal
Router(config-if)# interface Port-channel102
Router(config-if)# mtu 9216
Router(config-if)# no ip address
Router(config-if)# lacp fast-switchover
Router(config-if)# lacp max-bundle 1
Router(config-if)# service instance 50 ethernet
Router(config-if)# encapsulation dot1q 50
Router(config-if)# rewrite ingress tag pop 1 symmetric
Router(config-if)# service-policy output lacp-parent
Router(config-if)# bridge-domain 50
This is a member links configuration:
Router# configure terminal
Router(config-if)# interface GigabitEthernet 3/12
Router(config-if)# mtu 9216
Router(config-if)# no ip address
Router(config-if)# lacp rate fast
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 102 mode active
Verification
Use these commands to verify EVC configuration.
Command
|
Purpose
|
Router# show ethernet service evc [id evc-id | interface interface-id] [detail]
|
Displays information that verifies details of a specific EVC, and also verifies if an EVC ID is specified for all the EVCs on an interface.
|
Router# show ethernet service instanceinterface-id port-channel number [summary]
|
Displays the summary of all the EVCs configured within the interface.
|
Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail]
|
Displays information about one or more service instances. If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, data for all service instances on the given interface is displayed.
|
Router# show ethernet service interface [interface-id] [detail]
|
Displays information in the Port Data Block (PDB).
|
Use the following commands to verify LACP over EVC
|
Router# show etherchannel 15 port-channel
|
Displays details for port-channel 15. This command is common to EVC port-channel, switchport port-channel, and Layer 3 port-channel.
|
Troubleshooting
For information on troubleshooting LACP support for EVC Port Channel feature, see Table 4-6.
Configuring Layer 2 Access Control Lists (ACLs) on an EVC
ACLs (Access Control Lists) perform the following tasks:
•Apply security and QoS at the interface, sub-interface, and service levels.
•Filter the packets in a modular manner.
You can use a collection of sequential ACL rules to filter network traffic. Though the ACLs are applied on a network interface, you can use this feature to apply Layer 2 on different EVCs. Table 4-7 maps the supported layers with their parameters and Table 4-8 lists the commands used to activate the Layer 2 ACLs.
Table 4-7
Layer
|
Based on
|
Layer 2
|
•MAC source and destination
|
Mapping between the ACL supported layers to the parameters
Table 4-8 ACL commands
Layer
|
Action
|
Command
|
Layer 2
|
Create a Layer 2 Access List
|
mac access-list extended {aclname}
|
Apply an Access list within the EVC
|
mac access-group {aclname} in
|
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure ACLs on a EVC:
•A Layer 2 ACL is supported only on the ingress.
•You can apply a single ACL to more than one EFP.
•If a Layer 2 ACL is applied to an EFP (Ethernet Flow Point) with a Layer 2 ACL, the new ACL replaces the previous ACL.
•A Layer 2 ACL configuration applied on the EVC interface should contain the source MAC address, destination MAC address, and the address mask.
•You can apply a maximum of 256 unique ACLs on all the EVCs.
•Maximum number of 16 ACEs (Access Control Elements) per ACL are supported.
•The counters are supported per ACL per EVC.
•Cisco IOS Release 15.1(1)S supports EVC port-channels.
Creating a Layer 2 Access Control List
SUMMARY STEPS
1. enable
2. configure terminal
3. mac access-list extended {aclname} {permit | deny} {host a.b.c host x.y.z}
4. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
mac access-list extended aclname {permit
| deny} {host a.b.c host x.y.z}
Example:
me7600-5(config)#mac access-list extended
test-l2-acl
|
Creates a Layer 2 Access List on the selected interface.
|
Step 4
|
exit
|
Exits the configuration mode.
|
Applying a Layer 2 Access Control List
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet type/ slot/port [subinterface-number] or interface tengigabitethernet type/ slot/port [subinterface-number]
4. [no] service instance id {Ethernet}
5. encapsulation dot1q vlan id
6. mac access- group aclname in
7. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet type/ slot/port
[subinterface-number]
or
interface tengigabitethernet type/
slot/port [subinterface-number]
Example:
Router(config)# interface gigabitethernet
4/0/0
|
Specifies the gigabit ethernet or the ten gigabit ethernet interface to configure, where:
•slot/subslot/port—Specifies the location of the interface.
•subinterface-number—(Optional) Specifies a secondary interface (sub-interface) number.
|
Step 4
|
[no] service instance id {Ethernet
[service-name
]}
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance on an interface and sets the device to the config-if-srv configuration mode.
|
Step 5
|
encapsulation dot1q vlan id
Example:
Router(config-if-srv)# encapsulation
dot1q 5
|
Defines the matching criteria to map ingress dot1q frames on an interface to the appropriate service instance.
Note Use the encapsulation dot1q default command to configure the default service instance on a port. Use the encapsulation dot1q untagged command to map the untagged ethernet frames on an ingress interface to a service instance.
|
Step 6
|
mac access- group aclname in
Example:
me7600-5(config-if-srv)# mac access-group
test-l2-acl in
|
Applies a L2 ACL on the selected EVC.
Note L2 ACL displays only positive permit and deny counts.
|
Step 7
|
exit
|
Exits the configuration mode.
|
Examples
You can view the ACL counters for an EVC as shown in this example:
LLB-India-7#sh ethernet service instance id 1 int gig3/0/0 detail
L2 ACL (inbound): l2acl <=====
Associated Interface: GigabitEthernet3/0/0
Interface Dot1q Tunnel Ethertype: 0x8100
L2 ACL permit count: 0 <=====
L2 ACL deny count: 0 <=====
Pkts In Bytes In Pkts Out Bytes Out
DHCP Snooping with Option-82 on EVC
DHCP snooping determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages traffic from untrusted sources.
To do this, DHCP snooping dynamically builds and maintains the DHCP snooping database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
Each entry in the DHCP snooping database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
Additionally, the DHCP Snooping with Option-82 feature can centrally manage the IP address assignments for a large number of subscribers. When this feature is enabled on the router, a subscriber device is identified by the router port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router and are uniquely identified.
However, EVCs require additional information. If each EVC on an interface is mapped to a single VPN, it would be possible to use the internal VLAN to identify the path for reply packets. However, because multiple EVCs with different encapsulations can map to the same VPN, it is necessary to use the actual EVC encapsulation to distinguish between EVCs.
The DHCP Snooping with Option-82 on EVC feature allows the user to provide this additional information required for EVC-enabled interfaces. This information is inserted into the option 82 and is also stored in the binding table for retrieval by other services.
Use the ip dhcp snooping information option allow-untrusted command to enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch. DHCP option 82 data insertion is enabled by default. Accepting incoming DHCP snooping packets with option 82 information from the edge switch is disabled by default.
Use the ip dhcp relay information option subscriber-id command to configure a subscriber string for an EVC that can be inserted into the option 82 field along with other information when relaying the DHCP packets to the server. The server can parse the option 82 information to match the subscriber string and act accordingly. The subscriber string configured for an EVC will not be stored in the binding table and is only used when sending DHCP packets to the server by inserting into the option 82 field.
For additional information on DHCP Snooping and Option-82 on the Cisco 7600 router, see Configuring DHCP Snooping at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/snoodhcp.html.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while you configure DHCP Snooping with Option-82:
•An EVC with multiple encapsulations is not supported.
•The following EVCs are supported on the same interface and bridge-domain:
–dot1q encapsulation
–QinQ encapsulation
–Untagged encapsulation
•4000 EVCs are supported per port.
•32000 EVCs are supported per router.
•Multiple EVCs are supported on the same port, all having the same or different bridge domains.
•Multiple EVCs are supported on different ports, all having the same or different bridge domains.
•With Cisco IOS Release 12.2(33)SRE, DHCP snooping with Option 82 is supported on EVC port-channels.
•DHCP snooping is not supported with lag NNI VPLS core.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface port-channel number
4. [no] ip address
5. negotiation {forced | auto}
6. service instance id Ethernet [service-name]
7. encapsulation dot1q vlan-id
8. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
9. ip dhcp relay information option subscriber-id value
10. [no] bridge-domain bridge-id
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port[.subinterface-number]
or
interface tengigabitethernet
slot/subslot/port[.subinterface-number]
or
interface port-channel number
Example:
Router(config)# interface gigabitethernet 4/1
|
Specifies the gigabit ethernet or the ten gigabit ethernet or the port-channel interface to configure.
|
Step 4
|
no ip address
Example:
Router# Router(config-if)# no ip address
|
Removes an IP address or disables IP processing.
|
Step 5
|
negotiation {forced | auto}
Example:
Router(config-if)# negotiation auto
|
Enable advertisement of speed, duplex mode, and flow control on a gigabit ethernet interface.
|
Step 6
|
[no] service instance id Ethernet [service-name}
Example:
Router(config-if)# service instance 101 ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 7
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 8
|
rewrite ingress tag {push {dot1q vlan-id | dot1q
vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q
vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}}
symmetric
Example:
Router(config-if-srv)# rewrite ingress tag push
dot1q 20 symmetric
|
Specifies the tag manipulation to be performed on the frame ingress to the service instance.
|
Step 9
|
ip dhcp relay information option subscriber-id
value
Example:
Router(config)# ip dhcp relay information option
subscriber-id 123
|
Configures a subscriber string that uniquely identifies the interface from where the DHCP packets originate.
|
Step 10
|
[no] bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Example
This example shows a typical configuration on the relay agent and the server. This is a configuration on the relay agent:
Router# configure terminal
Router(config)# interface GigabitEthernet8/1
Router(config-if)# no ip address
Router(config-if)# negotiation auto
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
ip dhcp relay information option subscriber-id 11
Router(config-if-srv)# bridge-domain 100
Router(config)# interface Vlan100
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# ip helper-address global 20.0.0.2
Router(config-if)# ip helper-address 20.0.0.2
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# ip dhcp snooping packets
Router(config-if)# ip address 20.0.0.1 255.255.255.0
Router(config-if)# negotiation auto
This is the configuration on the server:
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# ip address 20.0.0.2 255.255.255.0
Router(config-if)# negotiation auto
Router(config)# ip dhcp pool pool1
Router(dhcp-config)# network 10.0.0.0 255.255.0.0
Router(dhcp-config)# update arp
address range 10.0.0.2 10.0.0.10
address range 10.0.0.11 10.0.0.20
Router(config)# ip dhcp pool pool2
Router(config)# network 11.0.0.0 255.255.0.0 lease 2
Router(config)# ip dhcp pool pool3
Router(config)# network 10.0.0.0 255.255.255.0 lease 0 0 2
ip dhcp class C1 <-----------Class C1 maps to the subcriber-id string aabb11.
relay-information hex 00000000000000000000000000000006616162623131 mask
fffffffffffffffffffffffffffffff0000000000000
relay-information hex 00000000000000000000000000000006313162626161 mask
fffffffffffffffffffffffffffffff0000000000000
******************************************************************************************
Verification
Use this commands to verify operation.
Command
|
Purpose
|
Router# show ip dhcp snooping
|
Displays all VLANs (both primary and secondary) that have DHCP snooping enabled.
|
Router# show ip dhcp snooping binding
|
Checks the DHCP snooping database.
|
Troubleshooting
Table 4-9 provides the troubleshooting solutions for the DHCP Snooping feature.
Table 4-9 Troubleshooting Scenarios for DHCP Snooping feature
Problem
|
Solution
|
DHCP snooping database is not storing any bindings
|
Complete the following steps to verify and troubleshoot:
1. Use the show ip dhcp snooping binding command to check whether there are non-zero bindings built on the binding table.
2. The show ip dhcp snooping binding command displays the total number of bindings as a non-zero value. If not, check whether the DHCP snooping database agent is configured correctly. If no bindings exist, it implies that they were never built or the lease expired. Reconfigure the bindings with a longer lease period. If the lease time is configured as maximum (4294967295 seconds effective from 12.2(33) SRD ), the bindings do not expire.
3. Use the ip dhcp snooping database command to check if the DHCP snooping database agent is configured correctly and is currently running.
|
Bindings are not getting stored in the database agent
|
Read the database agent file to check if bindings are stored in that file. If not, go to Step 3 of the previous solution. If there is at least one binding stored in the database file , it implies that the database agent is working fine.
|
DHCP snooping is not active on the router
|
DHCP snooping is active on the router only when it is configured globally and on at least one interface VLAN. Check if the ip dhcp snooping command exists in the running and global configuration modes, and at least on one VLAN interface. If not, configure the feature as described in Configuring Layer 2 Access Control Lists (ACLs) on an EVC.
If the configurations exist, use the debug ip dhcp snooping packets command to check whether or not DHCP packets are being exchanged between the DHCP server and the client. If yes, proceed to Step 3 listed in the solution for " DHCP snooping database is not storing any bindings" problem. If not, check the configurations for the DHCP server and client and whether all the connections to the DHCP relay agent are fine. If the problem persists, contact TAC.
|
DHCP Snooping Over p-mLACP
The Dynamic Host Configuration Protocol (DHCP) snooping over a pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) feature synchronizes the DHCP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the DHCP database allows the multicast traffic to flow with the least interruption when the p-mLACP fails. This feature uses the Interchassis Communication Protocol (ICCP) to synchronize the DHCP snooping database with the peer PoAs to provide multi-chassis redundancy. When the multi-chassis Link Aggregation (mLAG) transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network. A system configured with DHCP snooping creates a DHCP snooping database, which contains DHCP snooping entries (MAC/IP bindings) learnt from the different VLANs.
The DHCP snooping binding data is added in the active supervisor after successfully synchronizing the snooping information between the local standby and remote PoAs (active and standby supervisor PoA).
Note For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600 section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.
DHCP Snooping State Synchronization
The DHCP snooping state synchronization involves these steps:
0. The active PoA synchronizes the DHCP snooping binding tables with the standby PoA.
1. The standby PoA uses the synchronized DHCP binding information for IP source guard (IPSG) and Dynamic ARP Inspection (DAI).
2. On switchover, the standby EFP becomes active and any spoofed ARP, MAC or IP traffic is dropped by the new Active PoA.
Restrictions for DHCP Snooping over p-mLACP
Following restrictions apply for the DHCP Snooping over p-mLACP feature:
•The manual load-balance VLAN list and LAG configuration should be same on both the PoAs.
•The bridge-domain configured under a p-mLACP port-channel EVC should not be part of any other non-pmLACP interfaces.
•For proper DHCP snooping database synchronization, ensure that the ICRM link is up.
•All the PoAs should be configured as p-mLACP peers to enable DHCP snooping database synchronization.
•It is recomended that all the PoAs should be configured for non-revertive mode.
•During the mLACP failures A, B, C, and E, the database entries are not lost. In case of p-mLACP failure D, the database entries are lost but they are restored after synchronization with the peer PoA through the ICRM link.
•The maximum number of DHCP Snooping entries supported per PoA is 20000; 10000 entries on the active VLAN on the active PoA and 10000 entries synchronized from another PoA through the ICCP link.
•This feature is supported on the ES20 and ES+ line cards in the access mode only.
•This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
•For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs) participating in a bridge-domain should have the outer tag VLAN range set to either primary or secondary VLANs, but not both.
•If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
•While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
•IP FRR functionality is not supported with p-mLACP.
Note All the p-mLACP restrictions also apply to this feature.
Table 4-10 lists the scalability numbers for DHCP Snooping state synchronization:
Table 4-10 Scalability Numbers for p-mLACP DHCP Snooping State Synchronization
Feature
|
Per PoA
|
DHCP snooping entries
|
20000
|
Troubleshooting Tips
Table 4-11 lists the commands to troubleshoot the p-mLACP DHCP Snooping State Synchronization.
Table 4-11 Troubleshooting Scenarios
Command
|
Use
|
debug ip dhcp snooping event
|
Use this command to enable the debugging of the events involved in DHCP snooping.
|
debug ip dhcp snooping packet
|
Use this command to display the debugging messages for DHCP snooping.
|
show ip dhcp snooping multi-chassis
|
Use this command to display status of bulk synchronization.
|
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization
The pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) Internet Group Management Protocol (IGMP) Snooping State Synchronization feature synchronizes the IGMP snooping database between the Point of Attachments (PoAs) in a network. The synchronization of the IGMP database allows the multicast traffic to flow with the least interruption when an mLACP fails. The p-mLACP IGMP snooping function uses the Interchassis Communication Protocol (ICCP) to synchronize the IGMP snooping database with the peer PoAs. When the mLAG transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the network.
Note For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600 section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.
IGMP Snooping State Synchronization
The p-mLACP IGMP Snooping state synchronization involves these steps:
•POA creates snooping entries for its active VLANs based IGMP reports and the snooping entries are synchronized to the peer POA using ICCP, where this information corresponds to the standby VLANs on peer POA.
•The peer POA processes the ICCP messages received from the other POA, and pre-programs the multicast forwarding table based on the received IGMP information.
•When p-mLACP fails (A, B, C, D, E) on one of the POA, the peer POA moves its standby VLANs to active and triggers IGMP reports towards the Designated Router/mrouter based on the IGMP information received via ICCP for these VLANs.
•Next, the peer POA starts forwarding multicast data traffic based on pre-programmed multicast forwarding table without any delay, enabling fast convergence.
Figure 4-4 shows the basic p-mLACP IGMP Snooping State Synchronization process.
Figure 4-4 IGMP Snooping State Synchronization
Restrictions for p-mLACP IGMP Snooping State Synchronization
Following restrictions apply for the p-mLACP IGMP Snooping State Synchronization feature:
•The maximum rate supported is 1000 IGMP joins per second.
•The maximum number of IGMP Snooping entries supported per PoA is 10000.
•IGMP version 2 is supported. IGMP version 3 is not supported.
•This feature is supported on the ES20 and ES+ line cards in the access mode only.
•This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
•For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs) participating in a bridge-domain should have the outer tag VLAN range set to either primary or secondary VLANs, but not both.
•If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
•While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
•IP FRR functionality is not supported with p-mLACP.
•IGMP Snooping is not supported with Hierarchical Virtual Private LAN Service (H-VPLS) and MAC Tunneling Protocol (MTP) scenarios and topologies.
Table 4-12 lists the scalability numbers for IGMP snooping state synchronization.
Table 4-12 Scalability Numbers for p-mLACP IGMP Snooping State Synchronization
Feature
|
Per PoA
|
Desirable per PoA
|
Per RG
|
p-mLACP IGMP snooping state synchronization
|
10K
|
20K
|
10K
|
Note All p-mLACP restrictions also apply to IGMP Snooping over p-mLACP feature.
Troubleshooting Tips
Table 4-13 lists the troubleshooting solutions for the p-mLACP IGMP Snooping State Sync implementation.
Table 4-13 Troubleshooting Scenarios
Problem
|
Solution
|
IGMP snooping database is empty on the PoA.
|
Complete these steps to verify and troubleshoot:
1. Use the show mac-address-table multicast igmp-snooping command to check for incomplete snooping entries. If the entries are incomplete, see the problem definition and solution explained in the next row
2. If the output from the show mac-address-table multicast igmp-snooping command is empty, check if the IGMP snooping is enabled on the router. Enable the IGMP snooping, if disabled.
|
IGMP Snooping database shows incomplete snooping entries
|
If incomplete entries are displayed in the show mac-address-table multicast igmp-snooping command output, complete these steps:
1. Check whether the incomplete entries are specific to the active VLANs or the standby VLANs.
2. If the incomplete entries correspond to an active VLAN, verify the configuration.
3. If the incomplete entries correspond to a standby VLAN, check the corresponding VC states using the show mpls l2transport vc command. VC state should be in UP/STANDBY state, not in the DOWN state.
4. Use the show ip ig snooping mrouter command output to verify if the mrouter port is configured properly for the affected VLAN.
|
IP Source Guard for Service Instance
An IP source guard filters a source IP address on a layer 2 port and prevents malicious hosts from impersonating a legitimate host. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access ports.
Initially, all IP traffic on the service instance is blocked except for DHCP packets that are captured by DHCP snooping. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, the IP source guard for service instance feature automatically creates an access control list (ACL) to permit that traffic. Traffic from other hosts is denied. This filtering limits the ability of a host to attack the network by claiming the IP address of a neighbor host.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring IP source guard for a service instance:
•The number of ACLs and ACEs that can be configured as part of IP source guard are bounded by the hardware resources on the line card.
•The IP source guard is meant to verify host source IP and MAC information. Only ingress traffic is filtered. It is not applicable to egress direction.
•The IP source guard is not effective for software forwarded packets. When a non-recoverable TCAM exception occurs for the IP source guard, the IP filtering is not effective and packets are permitted.
•The IP source guard is not supported on subinterfaces.
•The IP source guard is supported only on ES+ line cards.
•IP source guard is supported on port-channel service instances effective from Cisco IOS release 15.1(2)S.
Configuring IP Source Guard for a Service Instance
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
or
interface port-channel number
4. [no] ip address
5. service instance id ethernet [service-name]
6. encapsulation dot1q vlan-id
7. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
Note To distinguish if the packet is DHCP, all tags must be pop; push and translate are not supported with the IP source guard for service instance feature.
8. ip verify source vlan dhcp-snooping [port-security]
9. [no] bridge-domain bridge-id
10. exit
11. end
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode. If prompted, enter your password.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
or
interface port-channel number
Example:
Router(config)# interface gigabitethernet 4/1
|
Specifies the interface to configure.
•slot/port - Specifies the location of the interface.
•number - Specifies the port channel interface.
|
Step 4
|
[no] ip address
Example:
Router(config-if)# no ip address
|
Removes an IP address or disable IP processing.
|
Step 5
|
[no] service instance id ethernet [service-name}
Example:
Router(config-if)# service instance 101 ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 6
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 7
|
rewrite ingress tag {push {dot1q vlan-id | dot1q
vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q
vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}}
symmetric
Example:
Router(config-if-srv)# rewrite ingress tag pop 1
symmetric
|
Specifies the tag manipulation that is to be performed on the frame ingress to the service instance.
Note In order for the router to distinguish if the packet is DHCP, all tags must be in pop state ; push and translate states are not supported.
|
Step 8
|
ip verify source vlan dhcp-snooping
[port-security]
Example:
Router(config-if-srv)# ip verify source vlan
dhcp-snooping
|
Enables the IP source guard states. Use these commands :
•vlan dhcp-snooping enables IP mode and applies the feature to only specific VLANs on the interface. The dhcp-snooping option applies the feature to all VLANs on the interface that have DHCP snooping enabled.
•port-security enables IP/MAC mode and applies both IP and MAC filtering.
|
Step 9
|
[no] bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 10
|
exit
Example:
|
Returns to global configuration mode.
|
Step 11
|
end
Example:
|
Exits configuration mode.
|
Example
This example shows how to configure IP source guard for a service instance with single tag (Dot1q) encapsulation.
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation dot1q 71
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
This is example shows how to configure IP source guard for a service instance with double tag (QinQ) encapsulation.
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation dot1q 71 second-dot1q 100
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
This example shows how to configure IP source guard for a service instance with untagged encapsulation.
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation untagged
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
This example shows how to configure IP source guard for a service instance with default encapsulation.
Router# configure terminal
Router(config)# interface GigabitEthernet7/1
Router(config-if)# no ip address
Router(config-if)# service instance 71 ethernet
Router(config-if-srv)# encapsulation default
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
This example shows how to configure IP source guard for a service instance with single tag encapsulation on a port-channel interface.
Router# configure terminal
Router(config)# interface port-channel 2
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# ip verify source vlan dhcp-snooping
Router(config-if-srv)# bridge-domain 10
Verification
Use the show ip verify source interface to verify the configuration:
router# show ip verify source interface gi5/1 efp_id 10
Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP
ID
--------- ----------- ----------- --------------- -----------------
---------- ----------
Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10
router# show ip verify source interface gi5/1
Interface Filter-type Filter-mode IP-address Mac-address Vlan EFP
ID
--------- ----------- ----------- --------------- -----------------
---------- ----------
Gi5/1 ip-mac active 123.1.1.1 00:0A:00:0A:00:0A 100 10
Gi5/1 ip-mac active 123.1.1.2 00:0A:00:0A:00:0B 100 20
Gi5/1 ip-mac active 123.1.1.3 00:0A:00:0A:00:0C 100 30
Troubleshooting
Table 4-14 provides troubleshooting solutions for the IP source guard feature.
Table 4-14
Problem
|
Solution
|
EVC disabled in IP source guard
|
Use the [no] ip verify source vlan dhcp-snooping port-security command in the service instance configuration mode to verify the IP source guard information. port-security is an optional keyword to indicate that the source MAC address filter should be applied with the source IP address. Share the output with TAC to troubleshoot further.
|
DHCP snooping failures
|
1. Verify whether or not the issues are specific to DHCP snooping or IP source guard. Use the show ip dhcp snooping binding command to check the DHCP snooping bindings on the RP. If the expected entry is missing on the RP, debug the DHCP snooping sessions and share the output with TAC.
2. If the entry is displayed on the route processor, but not on the line card, use the dhcp snooping ipc debug command on the RP to debug failures related to DHCP snooping entries. If the issue persists, contact TAC.
|
Troubleshooting Scenarios for IP Source Guard feature
Configuring MST on EVC Bridge Domain
The Multiple Spanning Tree (MST) on EVC Bridge Domain feature enables MST on EVC interfaces. It complements the H-VPLS N-PE Redundancy for QinQ and MPLS Access feature released in Cisco IOS Release 12.2(33)SRC. For more information on this feature, see http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html.
This section describes how to configure MST on EVC Bridge Domain. It contains these topics:
•Overview of MST and STP
•Overview of MST on EVC Bridge Domain
•Restrictions and Usage Guidelines
•Examples
Overview of MST and STP
Spanning Tree Protocol (STP) is a Layer 2 link-management protocol that provides path redundancy while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. STP operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.
Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can enable and disable STP on a per-VLAN basis.
MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree topology independent of other spanning tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required to support a large number of VLANs. MST improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).
For routers to participate in MST instances, you must consistently configure the routers with the same MST configuration information. A collection of interconnected routers that have the same MST configuration comprises an MST region. For two or more routers to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same MST name.
The MST configuration controls the MST region to which each router belongs. The configuration includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map.
A region can have one or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree instance at a time.
For additional information on STP and MST on the Cisco 7600 series routers, see Configuring STP and MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html
Overview of MST on EVC Bridge Domain
The MST on EVC Bridge-Domain feature uses VLAN IDs for service-instance-to-MST-instance mapping. EVC service instances with the same VLAN ID (the outer VLAN IDs in the QinQ case) as the one in another MST instance will be mapped to that MST instance.
EVC service instances can have encapsulations with a single tag as well as double tags. In case of double tag encapsulations, the outer VLAN ID shall be used for the MST instance mapping, and the inner VLAN ID is ignored.
A single VLAN per EVC is needed for the mapping with the MST instance. The following service instances without any VLAN ID or with multiple outer VLAN IDs are not supported:
•Untagged (encapsulation untagged)
•Priority-tagged (encapsulation priority-tagged)
•Default (encapsulation default)
•Multiple outer tags (encapsulation dot1q 200 to 400 second-dot1q 300)
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring MST on EVC bridge domain:
•Cisco IOS Release 15.1(1)S supports EVC port-channels.
•Main interface where the EFP is configured must be up and running with MSTP as the selected Spanning Tree Mode (PVST and Rapid-PVST are not supported).
•The SPT PortFast feature is not supported with EFPs.
•The co-existence of REP and mLACP with MST on the same port is not supported.
•Any action performed on VPORT (which represents a particular VLAN in a physical port) affects the bridge domain and other services.
•This feature cannot co-exist with Ethernet Bridging on FR/ATM that support only PVST.
•Supports 64 MSTs and one CIST (common and internal spanning tree).
•Supports one MST region.
•Scales to 32000 EFP.
•Service instances without any VLAN ID in the encapsulation are not supported, because a unique VLAN ID is required to map an EVC to an MST instance.
•Supports EFPs with unambigous outer VLAN tag (that is, no range, list on outer VLAN, neither default nor untagged).
•ES20 and ES+ line cards support this feature.
•Removing dot1q encapsulation removes the EVC from MST.
•Changing the VLAN (outer encapsulation VLAN of EVC) mapping to a different MST instance will move the EVC port to the new MST instance.
•Changing an EVC service instance to a VLAN that has not been defined in MST 1 will result in mapping of EVC port to MST 0.
•The peer router of the EVC port must also be running MST.
•MST is supported only on EVC BD. EVCs without BD configuration will not participate in MST
•When an MST is configured on the outer VLAN, you can configure any number of service instances with the same outer VLAN as shown in the following configuration example.
Building configuration...
Current configuration : 373 bytes
interface GigabitEthernet12/5
description connected to CE1
service instance 100 ethernet
encapsulation dot1q 100 second-dot1q 1
service instance 101 ethernet
encapsulation dot1q 100 second-dot1q 2
service instance 102 ethernet
encapsulation dot1q 100 second-dot1q 120-140
Building configuration...
Current configuration : 373 bytes
interface GigabitEthernet12/6
description connected to CE1
service instance 100 ethernet
encapsulation dot1q 100 second-dot1q 1
service instance 101 ethernet
encapsulation dot1q 100 second-dot1q 2
service instance 102 ethernet
encapsulation dot1q 100 second-dot1q 120-140
Spanning tree enabled protocol mstp
Port 2821 (GigabitEthernet12/5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi12/5 Root FWD 20000 128.2821 P2p
Gi12/6 Altn BLK 20000 128.2822 P2p
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id
6. [no] bridge-domain bridge-id
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the gigabit ethernet or the ten gigabit ethernet interface to configure.
•slot/port—Specifies the location of the interface.
|
Step 4
|
[no] service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (EVC instance) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
[no] bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Examples
In the following example, two interfaces participate in MST instance 0, the default instance to which all VLANs are mapped:
Router# configure terminal
Router(config)# interface g4/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# interface g4/3
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 2
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# end
Verification
Use this command to verify the configuration:
Router# show spanning-tree vlan 2
Spanning tree enabled protocol mstp
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/1 Desg FWD 20000 128.1537 P2p
Gi4/3 Back BLK 20000 128.1540 P2p
In this example, interface gi4/1 and interface gi4/3 are connected back-to-back. Each has a service instance (EFP) attached to it. The EFP on both interfaces has an encapsulation VLAN ID of 2. Changing the VLAN ID from 2 to 8 in the encapsulation directive for the EFP on interface gi4/1 stops the MSTP from running in the MST instance to which the old VLAN is mapped and starts the MSTP in the MST instance to which the new VLAN is mapped:
Router(config-if)# interface g4/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encap dot1q 8
Router(config-if-srv)# end
Use this command to verify the configuration:
Router# show spanning-tree vlan 2
Spanning tree enabled protocol mstp
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/3 Desg FWD 20000 128.1540 P2p
Router# show spanning-tree vlan 8
Spanning tree enabled protocol mstp
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi4/1 Desg FWD 20000 128.1537 P2p
In this example, interface gi4/3 (with an EFP that has an outer encapsulation VLAN ID of 2 and a bridge domain of 100) receives a new service:
Router# configure terminal
Router(config)# interface g4/3
Router((config-if)# service instance 2 ethernet
Router((config-if-srv)# encap dot1q 2 second-dot1q 100
Router((config-if-srv)# bridge-domain 200
Now there are two EFPs configured on interface gi4/3 and both of them have the same outer VLAN 2.
interface GigabitEthernet4/3
service instance 1 ethernet
service instance 2 ethernet
encapsulation dot1q 2 second-dot1q 100
The preceding configuration does not affect the MSTP operation on the interface; there is no state change for interface gi4/3 in the MST instance it belongs to.
Router# show spanning-tree mst 1
##### MST1 vlans mapped: 2
Bridge address 0009.e91a.bc40 priority 32769 (32768 sysid 1)
Root this switch for MST1
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi4/3 Desg FWD 20000 128.1540 P2p
This example shows MST on port channels:
Router# show spanning-tree mst 1
##### MST1 vlans mapped: 3
Bridge address 000a.f331.8e80 priority 32769 (32768 sysid 1)
Root address 0001.6441.68c0 priority 32769 (32768 sysid 1)
port Po5 cost 20000 rem hops 18
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p
Router# show spanning-tree vlan 3
Spanning tree enabled protocol mstp
Port 3329 (Port-channel5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p
Troubleshooting
Table 4-15 provides troubleshooting solutions for the MST on EVC Bridge Domain feature.
Table 4-15 Troubleshooting Scenarios
Problem
|
Solution
|
Multiple Spanning Tree Protocol (MSTP) incorrectly or inconsistently formed due to misconfiguration and BPDU loss
|
To avoid BPDU loss, re-configure these on the following nodes:
· Configuration name
· Bridge revision
· Provider-bridge mode
· Instance to VLAN mapping
Determine if node A is sending BPDUs to node B. Use the show spanning-tree mst interface gi1/1 service instance command for each interface connecting the nodes. Only designated ports relay periodic BPDUs.
|
MSTP correctly formed, but traffic flooding occurs
|
Intermittent BPDU loss occurs when the spanning tree appears incorrectly in the show commands, but relays topology change notifications. These notifications cause a MAC flush, forcing traffic to flood until the MAC addresses are re-learned. Use the debug spanning-tree mst packet full {received | sent} command to debug topology change notifications.
Use the debug spanning-tree mst packet brief {received | sent} command on both nodes to check for missing BPDUs. Monitor the timestamps. A time gap greater than or equal to six seconds causes topology change.
|
MSTP shows incorrect port state
|
When the spanning tree protocol (STP) attempts to change the port state, it uses L2VPN. Check the value of the sent update. If the value is Yes, then STP is awaiting an update from L2VPN.
|
Packet forwarding does not match the MSTP state
|
Complete the following steps to verify and troubleshoot:
1. Shut down redundant links, remove MSTP configuration, and ensure that basic bridging works.
2. Check the state of each port as calculated by MSTP, and compare it with the packet counts transmitted and received on ports and EFPs controlled by MSTP. Normal data packets should be sent/received only on ports in the forwarding (FWD) state. BPDUs should be sent/received on all ports controlled by MSTP.
3. Ensure that BPDUs are flowing and that root bridge selection is correct and check the related scenarios.
4. Use the show l2vpn bridge-domain detail command to confirm the status of the members of the bridge domain. Ensure that the relevant bridge domain members are active.
5. Check the forwarding state as programmed in hardware.
|
Configuring Link State Tracking (LST)
When a link failure occurs on a REP and MST segment, the associated protocols handle the link failure event. However, if the primary link to the switch is enabled even though the corresponding uplink ports on the switch are disabled, the REP and MST protocol is unaware of backbone side, and does not trigger a failover. The router continues to receive the traffic from the access side and then drops it discreetly due to lack of backbone connectivity. Link state tracking provides a solution to this problem by allowing the uplink interfaces to bind the link status to the down link ports. Uplink state tracking is configured such that when a set of uplink ports are disabled, other ports linked through CLI commands are disabled as well. The state of all the downlink interfaces are error-disabled only when all the upstream interfaces are disabled.
The LST triggers REP/MST re-convergence on the access side depending on the state of the core-facing interface. The link state of the core facing interface and the access facing interface are bound by link state tracking group.
LST facilitates:
–Enabling and disabling of link state group tracking.
–Removal of downstream interfaces from a link state group.
–Performing shut/no shut on error disabled interface.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines when you configure the LST:
• Ensure that the management interfaces are not part of a link state group.
•REP port cannot be configured as uplink port.
•LST does not allow any interface, upstream or downstream, to be part of more than one link state group.
•You can configure a maximum of 10 link state groups.
•When you configure LST for the first time, you must add upstream interfaces to the link state group before adding downstream, otherwise the state of the downlink interfaces are error-disabled.
•The configurable interfaces are physical (both routed and switch port), port-channel, sub-interface and VLAN.
•Upstream interfaces are required to be among:
–L3 interface(physical or portchannel)
–SVI
•Downstream interfaces are required to be among:
–L2 interface
–L2 Port-channel
–EVC
Configuring Link State Tracking
Perform the following tasks to configure a LST.
SUMMARY STEPS
1. enable
2. configure terminal
3. link state track number
4. interface slot/port
5. link state group [number] {upstream | downstream}
6. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
link state track number
Example:
Router(config)# link state track 1
|
Creates a link-state group, and enables LST. The acceptable range is 1-10; the default value is 1.
|
Step 4
|
interface slot/port
Example:
Router(config)# interface gigabitethernet 2/1
|
Configures an interface.
|
Step 5
|
link state group [number] {upstream |
downstream}
Example:
Router(config-if)# link state group 1 upstream
|
Specifies a link-state group and configures the interface as either an upstream or downstream interface in the group.The group number can be 1 to 10; the default value is 1.
|
Step 6
|
end
Example:
Router(config-if)# end
|
Exits the CLI to privileged EXEC mode.
|
This example shows how to create a link-state group and configure the interfaces:
Router# configure terminal
Router(config)# link state track 1
Router(config)# interface gigabitethernet3/1
Router(config-if)# link state group 1 upstream
Router(config-if)# interface gigabitethernet3/3
Router(config-if)# link state group 1 upstream
Router(config-if)# interface gigabitethernet3/5
Router(config-if)# link state group 1 downstream
Router(config-if)# interface gigabitethernet3/7
Router(config-if)# link state group 1 downstream
Verification
Use the show link state group command to display the link-state group information.
Router> show link state group 1
Link State Group: 1 Status: Enabled, Down
Use the show link state group detail command to display detailed information about the group.
Router> show link state group detail
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
Link State Group: 1 Status: Enabled, Down
Upstream Interfaces : Gi3/5(Dwn) Gi3/6(Dwn)
Downstream Interfaces : Gi3/1(Dis) Gi3/2(Dis) Gi3/3(Dis) Gi3/4(Dis)
Link State Group: 2 Status: Enabled, Down
Upstream Interfaces : Gi3/15(Dwn) Gi3/16(Dwn) Gi3/17(Dwn)
Downstream Interfaces : Gi3/11(Dis) Gi3/12(Dis) Gi3/13(Dis) Gi3/14(Dis)
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
Troubleshooting the Link State Tracking
Table 4-16 lists the troubleshooting issues while configuring LST:
Table 4-16 Troubleshooting LST
Problem
|
Solution
|
The downstream interface is in error-disabled state even though the upstream interfaces are up.
|
Use the show interfaces <interface> status err-disabled command to check why the interface is in such state.
Use the show errdisable recovery command to view information about the error-disable recovery timer.
|
Issues
MAC Address Security for EVC Bridge Domain
Cisco 7600 series routers currently support port security on a per-port basis. For more information, see Configuring Port Security at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/port_sec.html
The Media Access Control (MAC) Address Security for EVC Bridge Domain feature addresses port security with EVCs by providing the capability to control and filter MAC address learning behavior at the granularity of a per-EFP basis. For instance, when a violation requires a shutdown, only the customer assigned to a given EFP is affected rather than all customers using the port.
Port Security and the MAC Address Security for EVC Bridge Domain feature operate independently of each other.
Cisco IOS Release 12.2(33)SRE adds support for MAC address security on EVC port-channels.This feature operates on a port-channel interface in a similar manner to how it works on a physical port. In each case, MAC security is configured on a service instance associated with a bridge domain.
This section covers the following topics: This section contains the following topics:
•Restrictions and Usage Guidelines
•Enabling MAC Address Security for EVC Bridge Domain
•Enabling MAC Address Security for EVC Bridge Domain
•Disabling MAC Address Security for EVC Bridge Domain on an EFP
•Configuring MAC Address Whitelist on an EFP
•Configuring Sticky MAC Addresses on an EFP
•Configuring Secure MAC Address Aging on an EFP
•Configuring MAC Address Limiting on EFP
•Configuring MAC Address Limiting on a Bridge Domain
•Configuring Violation Response on an EFP
Restrictions and Usage Guidelines
When configuring MAC Address Security for EVC Bridge Domain, follow these restrictions and usage guidelines:
•System wide, the following limits apply to the total configured whitelist and learned MAC addresses:
–Total number of MAC addresses supported under MAC Security is limited to 32K.
–Total number of MAC addresses supported under MAC Security, per bridge domain, is limited to 10K.
–Total number of MAC addresses supported under MAC Security, per EFP, is limited to 1K.
•You can configure or remove the various MAC security elements irrespective of whether MAC security is enabled on the EFP. However, these configurations will become operational only after MAC security is enabled.
•Upon enabling the MAC Address Security for EVC Bridge Domain feature, existing MAC address table entries on the EFP are removed.
•The MAC Address Security for EVC Bridge Domain feature can be configured on an EFP only if the EFP is a member of a bridge domain.
•If you disassociate the EFP from the BD, the MAC security feature is completely removed.
•For port-channel, this configuration is propagated to all member links in the port-channel. Consistent with the already implemented bridge domain EVC port-channel functionality, packets on a secured EFP are received on any member link, but all the egress packets are sent out to one of the selected member links.
Enabling MAC Address Security for EVC Bridge Domain
This section describes how to enable MAC address security for EVC bridge domain.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id
6. bridge-domain bridge-id
7. mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security or no mac security
Example:
Router(config-if-srv)# mac security or
Router(config-if-srv)# no mac security
|
Enables or disables the MAC Security on the EFP.
|
Examples
This example shows how to enable MAC address security for EVC bridge domain.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security
This example shows how to disable MAC address security for EVC bridge domain.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# no mac security
Disabling MAC Address Security for EVC Bridge Domain on an EFP
This section describes how to disable MAC address security for EVC bridge domain.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. no mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
no mac security
Example:
Router(config-if-srv)# no mac security
|
Disables MAC Security on the EFP.
|
Examples
This example shows how to disable MAC address security for EVC bridge domain.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# no mac security
Configuring MAC Address Whitelist on an EFP
MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id
6. bridge-domain bridge-id
7. mac security sticky
8. mac security
9. no mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security address permit mac address
Example:
Router(config-if-srv)# mac security
address permit 0000.1111.2222
|
Adds the specified MAC Address as a whitelist ("permit") MAC Address for the EFP.
|
Step 8
|
mac security
Example:
Router(config-if-srv)# mac security
|
Enables MAC Security on the EFP.
|
Examples
This example shows how to configure whitelisted MAC addresses on an EFP that is a member of a bridge domain.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security address permit 0000.1111.2222
Router(config-if-srv)# mac security
Configuring Sticky MAC Addresses on an EFP
MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id
6. bridge-domain bridge-id
7. mac security sticky
8. mac security
9. no mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames (double tagged) on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security sticky
Example:
Router(config-if-srv)# mac security
sticky
|
Enables Sticky feature causing all dynamic secure MAC addresses to become sticky MAC addresses. Any new MAC address learnt becomes sticky.
Note To retain the sticky MAC addresses across reloads, ensure that you save the running configuration to the start up configuration.
|
Step 8
|
mac security
Example:
Router(config-if-srv)# mac security
|
Enables MAC Security on the EFP.
|
Step 9
|
no mac security
Example:
Router(config-if-srv)# no mac security
|
Disables the MAC Security on the EFP.
|
Examples
This example configures sticky MAC addresses on an EFP.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security sticky
Router(config-if-srv)# mac security
Configuring Secure MAC Address Aging on an EFP
This section shows how to configure aging of secured MAC addresses under MAC Security. Secured MAC addresses are not subject to the normal aging of MAC table entries in the system.By default, secure MAC addresses do not age out.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id double tagged
6. bridge-domain bridge-id
7. mac security aging time m [inactivity]
8. mac security aging static
9. mac security aging sticky
10. mac security
11. no mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q double-tagged frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security aging time m [inactivity]
Example:
Router(config-if-srv)# mac security
aging time 200
|
Sets the aging time for secure addresses (range is 0-1440). The optional inactivity keyword specifies that the address aging is due to inactivity of the sending hosts (as opposed to absolute aging).
|
Step 8
|
mac security aging static
Example:
Router(config-if-srv)# mac security
static
|
Applies aging controls to statically configured addresses.
|
Step 9
|
mac security aging sticky
Example:
Router(config-if-srv)# mac security
stickly
|
Applies aging controls to sticky addresses.
|
Step 10
|
mac security
Example:
Router(config-if-srv)# mac security
|
Enables MAC Security on the EFP. A sticky MAC address on the MAC table is shown as static addressess.
|
Step 11
|
no mac security
Example:
Router(config-if-srv)# no mac security
|
Disables the MAC Security on the EFP.
|
Examples
This example shows how to configure the aging time for secure addresses to 10 minutes.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security aging time 10
Router(config-if-srv)# mac security
This example shows a configuration where the aging out of addresses is based on inactivity of the sending hosts. An address will age out if it is not seen for 10 minutes.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security aging time 10 inactivity
Router(config-if-srv)# mac security
The mac security aging time command only ages out secure addresses that are learned. To enable aging out of whitelist or sticky addresses when the mac security aging time command is configured, use the mac security aging static command (applies aging controls to statically configured addresses) or the mac security aging sticky command (applies aging controls to persistent, that is, sticky, addresses). The configuration below shows an example of applying aging to a sticky address.
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security
Router(config-if-srv)# mac security sticky
Router(config-if-srv)# mac security aging time 100
Configuring MAC Address Limiting on EFP
This section describes how to configure an upper limit for the number of secured MAC addresses allowed on an EFP. This includes addresses added as part of a whitelist, as well as dynamically learned MAC addresses. If the upper limit is decreased, one or more learned MAC entries may be removed. The default limit is 1.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id double tagged
6. bridge-domain bridge-id
7. mac security maximum addresses n
8. mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge-domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security maximum addresses n
Example:
Router(config-if-srv)# mac security
maximum addresses 10
|
Sets (or changes) the maximum number of secure addresses permitted on the EFP to the integer value n. The acceptable range secure addresses is 1-1024.
|
Step 8
|
mac security
Example:
Router(config-if-srv)# mac security
|
Enables MAC Security on the EFP.
|
Examples
This example configures an upper limit of 10 for the number of secured MAC addresses allowed on an EFP.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security maximum addresses 10
Router(config-if-srv)# mac security
Configuring MAC Address Limiting on a Bridge Domain
This section describes how to configure an upper limit for the number of secured MAC addresses located on the bridge domain.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge-domain vlan-id [access | dot1q [tag] | dot1q-tunnel] [broadcast] [ignore-bpdu-pid] [pvst-tlv CE-vlan] [increment] [lan-fcs] [split-horizon]
4. mac limit maximum addresses [n]
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
bridge-domain vlan-id [access | dot1q
[tag] | dot1q-tunnel] [broadcast]
[ignore-bpdu-pid] [pvst-tlv CE-vlan]
[increment] [lan-fcs] [split-horizon]
Example:
Router(config)# bridge-domain 12
|
Specifies the bridge domain.
|
Step 4
|
mac limit maximum addresses [n]
Example:
Router(config-bdomain)# mac limit
maximum addresses 1000
|
Sets the limit for maximum addresses. The default value is 10240.
|
Examples
This example configures an upper limit of 1000 for the number of secured MAC addresses.
Router# configure terminal
Router(config)# bridge-domain 100
Router(config-if-srv)# mac limit maximum address 1000
Configuring Violation Response on an EFP
This section describes how to specify the expected behavior of the device when an attempt to dynamically learn a MAC address fails because of a violation of the configured MAC Security policy on the EFP. The default violation behavior is termed as a EFP shutdown.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or interface port-channel number
4. service instance id Ethernet [service-name]
5. encapsulation dot1q vlan-id
6. bridge-domain bridge-id
7. mac security violation restrict or mac security violation protect
8. mac security
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet
slot/subslot/port
or
interface tengigabitethernet
slot/subslot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
service instance id Ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instance of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-if-srv)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
mac security violation restrict
or
mac security violation protect
Example:
Router(config-if-srv)# mac security
violation restrict
|
Sets the violation mode to restrict or protect.
The no version of this command sets the violation response back to default (default is shutdown). In the Restrict scenario, the packets are dropped and an error message is displayed about the log warning level; in the Protect scenario, the packets are silently dropped and no messages are displayed.
|
Step 8
|
mac security
Example:
Router(config-if-srv)# mac security
|
Enables MAC Security on the EFP.
|
Examples
This example configures a restrict violation response on EFP.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security violation restrict
Router(config-if-srv)# mac security
Error Recovery
This section describes how to recover from violation causing an EFP shutdown (default violation response) and contains the following sections:
Manual recovery
Automatic recovery
Manual Recovery
For manual recovery, use the clear ethernet service instance id id interface interface-name errdisable command to bring the service instance out of an error disabled state as shown below:
Router# configure terminal
Router# clear ethernet service instance id 10 interface gi1/1 errdisable
Automatic recovery
For automatic recovery, use the errdisable recovery cause mac security command. You must specify the timer interval. The valid value is from 30 to 86400 second. In the configuration example that follows, the EFP recovers 60 seconds after the violation causes the shutdown.
Router# configure terminal
Router(config)# interface GigabitEthernet 2/1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# mac security
Router(config-if-srv)# errdisable recovery cause mac-security 60
Verification
Use the following commands to verify operation.
Command
|
Purpose
|
Router# show ethernet service instance id id interface interface mac security address
|
Displays the secure addresses on the specified EFP.
|
Router# show ethernet service instance id id interface interface mac security last violation
|
Displays the last violation recorded on the specified EFP.
|
Router# show ethernet service instance id id interface interface mac security statistics
|
Displays the number of allowed and actual secured address and the number of violations recorded on the EFP.
|
Router# show ethernet service instance id id interface interface mac security
|
Displays the MAC Security status of the specified EFP.
|
Router# show ethernet service instance mac security address
|
Displays the secure addresses on all the EFPs in the system.
|
Router# show ethernet service instance mac security last violation
|
Displays information about the last violation recorded on the device (across all service instances) and information about the last violation recorded on each of the service instances.
|
Router# show ethernet service instance mac security statistics
|
Displays the number of allowed and actual secured addresses, as well as the number of violations recorded on all the EFPs in the system.
|
Router# show ethernet service instance mac security
|
Displays all the EFPs in the system that have MAC Security enabled.
|
Router# show bridge-domain id mac security address
|
Displays the secure addresses on all EFPs belonging to the specified bridge domain.
|
Router# show bridge-domain id mac security last violation
|
Displays information about the last violation recorded on each of the service instances belonging to the bridge domain.
|
Router# show bridge-domain id mac security statistics
|
Displays the number of allowed and actual secured addresses, as well as the number of violations recorded on all the EFPs that belong to the specified bridge domain.
|
Router# show bridge-domain id mac security
|
Displays all the EFPs that belong to the specified bridge domain, and that have MAC Security enabled.
|
Troubleshooting
Table 4-17 provides troubleshooting solutions for the MAC Security feature.
Table 4-17 Troubleshooting Scenarios for MAC Security feature
Problem
|
Solution
|
MAC security errors on the RP
|
Use the debug ethern serv instance id id interface int mac sec errors and debug ethern serv instance id id interface int mac table errors commands. Share the output with TAC for further investigation.
|
MAC security errors on the SP
|
Use the debug ethernet service instance mac security errors and debug ethernet service instance mac table errors commands to troubleshoot mac security issues on the RP.
|
EFP is disabled and is unable to automatically recover from error disable state
|
Use the errdisable recovery cause mac-security interval or clear ethernet service instance id id interface interface-name errdisable commands to re-enable the EFP.
|
Mac security aging timer is inactive
|
When mac security aging time inactivity is configured, the hardware mac table aging timer for the EFP VLAN is set with the configuration command mac address-table aging-time time [vlan <vlan id>] command. To resolve the aging timer inactivity, re-set the aging time to the default value of 300 seconds.
|
CFM and PVST Co-Existence
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation. Currently, Ethernet CFM supports inward facing and outward facing Maintenance Endpoints (MEPs). For information on Ethernet Connectivity Fault Management, see http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html.
The CFM and PVST Co-Existence feature allows Per Vlan Spanning Tree (PVST) and CFM to co-exist on Cisco 7600 series routers.
The CFM and PVST Co-Existence feature makes use of these Ethernet components:
•Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network.
•Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface.
Each EFP is identified with an EVC. An EVC ID is globally unique within a network. In addition, an EFP is associated with one bridge domain. All the EFPs in a bridge domain belong to the same EVC (when specified).
For EFPs, untagged, single-tagged, and double-tagged encapsulations exist with dot1q, QinQ, and IEEE dot1ad Ether types. Different EFPs belonging to a bridge domain can have different encapsulations.
Restrictions and Usage Guidelines
When configuring CFM and PVST Co-Existence, follow these restrictions and usage guidelines:
•The following line cards and supervisors that have three or more match registers are supported:
–ES20 line cards
–ES+ line cards
–RSP720-3C-10GE and
–Supervisor Engine 32
–WS-X67xx line cards (with supported supervisor)
•Generic VLAN Registration Protocol (GVRP) and CFM coexistence is also supported
•The following co-existing configurations are supported:
–PVST and CFM; you must configure PVST before configuring CFM
–Generic VLAN Registration Protocol (GVRP) and CFM; you must configure GVRP before configuring CFM
–PVST and GVRP; there is no restriction for the order of configuration.
•CFM uses two match registers to identify the control packet type; PVST also uses a match register to identify its control packet type. So in order for both protocols to work on the same system each line card needs to support three match registers, at least one being able to support only a 44 bit MAC match.
–This message is displayed when no match registers are available.
CFM is enabled system wide except on supervisor ports due to spanning tree
configuration on supervisor ports for CFM due to hardware limitations on these
ports. Continued with enabling CFM system-wide to allow coexistence with other
protocols such as PVST.
Administrator action may be required. Ensure no CFM traffic is presented to any
supervisor ports via configuration. If not possible configure STP mode to MST and
re-enable CFM or disable CFM completely.
–This message is displayed when the 48 bit match register is not available.
CFM is enabled system wide except it's disabled on supervisor ports due to spanning
tree or GVRP configuration. Unable to program all port ASIC MAC match registers
on supervisor ports for CFM due to hardware limitations on these ports. Continued
with enabling CFM system-wide to allow coexistence with other protocols such such
as PVST or GVRP.System has handled this by disabling CFM on all supervisor ports.
If this is unacceptable configure STP mode to MST and re-enable CFM or disable CFM
completely.
–This message is displayed, if after configuring PVST-CFM or GVRP-CFM co-existence, an attempt is made to power up an unsupported line card or to insert an unsupported line card into the router:
Unsupported module in slot 3, power not allowed: Module has insufficient match
registers. Enabled relevant protocols include SSTP CFM_MULTICAST.
Note Slot 3 in the above message refers to the module with unsufficient match registers.
Configuring PVST and CFM Co-Existence
Note PVST mode is the default spanning-tree mode. It is enabled when you boot the router.
Note You cannot disable PVST spanning-tree mode or MST spanning-tree mode with the no versions of the spanning-tree mode mst or spanning-tree mode pvst commands; you must enable the other spanning-tree mode to disable the existing spanning-tree mode. For example, if you want to disable the MST spanning-tree mode, you must enable the PVST spanning-tree mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree mode pvst
4. ethernet cfm enable
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
spanning-tree mode pvst
Example:
Router(config)# spanning-tree mode pvst
|
Configures Per-VLAN Spanning Tree+ (PVST+) mode.
|
Step 4
|
ethernet cfm enable
Example:
Router(config)# ethernet cfm enable
|
Enables connectivity fault management (CFM) processing globally on a device.
|
The following example configures PVST and CFM Co-Existence:
Router# configure terminal
Router(config)# spanning-tree mode pvst
Router(config)# ethernet cfm enable
Configuring GVRP and CFM Co-Existence
SUMMARY STEPS
1. enable
2. configure terminal
3. gvrp global
4. ethernet cfm enable
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
gvrp global
Example:
Router(config)# gvrp global
|
Enable GVRP globally.
|
Step 4
|
ethernet cfm enable
Example:
Router(config)# ethernet cfm enable
|
Enables connectivity fault management (CFM) processing globally on a device.
|
The following example configures GVRP and CFM Co-Existence:
Router# configure terminal
Router(config)# gvrp global
Router(config)# ethernet cfm enable
Configuring PVST and GVRP Co-Existence
SUMMARY STEPS
1. enable
2. configure terminal
3. gvrp global
4. spanning-tree mode pvst
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
gvrp global
Example:
Router(config)# gvrp global
|
Enable GVRP globally.
|
Step 4
|
spanning-tree mode pvst
Example:
Router(config)# spanning-tree mode pvst
|
Configures Per-VLAN Spanning Tree+ (PVST+) mode.
|
The following example configures PVST and GVRP Co-Existence:
Router# configure terminal
Router(config)# ethernet cfm enable
Router(config)# spanning-tree mode pvst
Verification
Use the following commands to verify operation.
Command
|
Purpose
|
Router# show running configuration
|
Displays the contents of the current running configuration file or the configuration for a specific module.
|
Router# remote command switch show platform mrm info
|
Displays protocols using port ASIC match registers. However, the feature will not be enabled if the match registers are not programmed.
|
Custom Ethertype for EVC Interfaces
The custom ethertype feature allows you to configure the ethertype to be used for outer tag for dot1q and QinQ packets. By default, the Cisco 7600 series router supports ethertype 0x8100 for dot1q and QinQ outer tags. The following ethertype can be configured under a physical port:
•0x8100 - 802.1q
•0x9100 - Q-in-Q
•0x9200 - Q-in-Q, and
•0x88a8 - 802.1ad
You can use the dot1 q tunneling ethertype ethertype-value command to configure the custom ethertype within a physical port.
In the following sample configuration, ethertype is set to 0x9100, service instance is created, and Rewrite process is initiated:
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance <number> ethernet
encapsulation dot1q <vlan 1> [second-dot1q <vlan 2>]
Note 802.1q (0x8100) is the default ethertype setting.
Note Cisco IOS Release 12.2(33)SRE adds support for custom ethertype to port-channels.
Supported Rewrite Rules for a Custom Ethertype Configuration
Rewriting allows you to add or remove VLAN tags in the packets transferred between two customer sites in the service provider networks.
The following types of Rewrites are supported on a Network Network Interface (NNI):
•Non-Range on C-Tag on NNI
•Range on C-Tag on NNI
Supported Rewrites for Non-Range on C-Tag with a NNI
When Custom Ethertype is configured within the NNI physical interface and VLAN range is not specified, the following Rewrites are supported for a provider bridge:
•For "encapsulation untagged":
–No Rewrite
–Rewrite ingress tag push dot1q <vlan1> [second-dot1q <vlan2>] symmetric
•For "encapsulation default":
–No Rewrite
•For "encapsulation dot1q <vlan>":
–No Rewrite
–Rewrite ingress tag pop 1 symmetric
–Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric, and
–Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric
•For "encapsulation dot1q <vlan1> second-dot1q <vlan2>":
–No Rewrite
–Rewrite ingress tag pop 1 symmetric
–Rewrite ingress tag pop 2 symmetric
–Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric
–Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric
–Rewrite ingress tag translate 2-to-1 dot1q <vlan> symmetric, and
–Rewrite ingress tag translate 2-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric
Supported Rewrites for Range on C-Tag with a NNI
When a VLAN range is specified on the C-Tag, push Rewrites are not supported. The following Rewrites are supported for VLAN range on C-Tag:
•For "encapsulation dot1q <vlan1 - vlan2>":
–No Rewrite
•For "encapsulation dot1q <vlan1> second-dot1q <vlan2 - vlan3>":
–No Rewrite
–Rewrite ingress tag pop 1 symmetric
–Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric
–Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric
Note To avoid hierarchical provider bridges when any Custom Ethertype is configured, NNI interface does not support "ingress push" Rewrite except for "encap untagged".
Restrictions and Usage Guidelines
When configuring Custom Ethertype, follow these restrictions and usage guidelines:
•If a custom ethertype is configured on the port-channel, the same ethertype is implicitly configured for all the other member interfaces.
•You cannot configure Custom ethertype explicitly under a member interface of a port-channel.
•An interface configured with custom ethertype cannot be a part of port-channel.
•An ES+ port configured with custom ethertype cannot become member of port-channel.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface port-channel number
4. dot1q tunneling ethertype [0x9100|0x9200|0x88A8]
5. [no] service instance id {Ethernet [service-name]}
6. [no] encapsulation untagged, dot1q {any | vlan-id[vlan-id[vlan-id]]} second-dot1q {any |vlan-id[vlan-id[vlan-id]]}
7. Rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id}| 2-to-1 dot1q vlan-id }| 1-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id}} symmetric
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet or the port-channel interface to configure.
|
Step 4
|
dot1q tunneling ethertype [0x9100 |
0x9200 | 0x88A8]
Example:
Router(config-if)# dot1q tunneling ethertype 0x88A8
|
Configure Custom Ethertype as 9100, 9200, or 88A8 within the physical interface as all service instances under physical interface use the configured ethertype.
|
Step 5
|
service instance id ethernet
[service-name]
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 6
|
encapsulation untagged dot1q {any |
vlan-id[vlan-id[vlain-id]]}
second-dot1q {any |
vlan-id[vlan-id[vlan-id]]}
Example:
Router(config-if-srv)# encapsulation
dot1q 100 second dot1q 200
|
Defines the matching criteria that maps the ingress dot1q, QinQ, or untagged frames on an interface for the appropriate service instance.
|
Step 7
|
Rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q
vlan-id dot1q vlan-id} | pop {1 | 2} |
translate {1-to-1 {dot1q vlan-id}|
2-to-1 dot1q vlan-id }| 1-to-2 {dot1q
vlan-id second-dot1q vlan-id dot1q
vlan-id} | 2-to-2 {dot1qvlan-id
second-dot1q vlan-id dot1q vlan-id}}
symmetric
Example:
Router(config-if-srv)# Rewrite ingress
tag push dot1q 20
|
Specifies the Rewrite operation.
|
Examples
Single Tag Encap with Connect with Custom Ethertype Configured
In the following example, Custom Ethertype is configured on a single tag encap using the connect configuration:
Router#sh running-config int Gi1/1
//Building configuration...
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance 1 ethernet
Router#sh running-config int Gi1/2
dot1q tunneling ethertype 0x9100
service instance 1 ethernet
Router)# connect LC1 GigabitEthernet 1/1 1 GigabitEthernet 1/2 1
Single Tag Encap with Bridge Domain
In the following example, Custom Ethertype is configured on a single tag encap using bridge domain configuration:
Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance 1 ethernet
Router#sh running-config int Gi1/2
interface GigabitEthernet 1/2
dot1q tunneling ethertype 0x9100
service instance 1 ethernet
Single Tag Encap with XConnect
In the following example, Custom Ethertype is configured on a single tag encap with xconnect configuration:
Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance 1 ethernet
xconnect 3.3.3.3 10 encapsulation mpls
Router#sh running-config int Gi1/2
interface GigabitEthernet 1/2
ip address 10.10.10.2 255.255.255.0
Custom Ethertype Support with Sub Interfaces
In this example, Custom Ethertype is configured on a sub interface. Custom Ethertype is always configured within the main physical interface and QinQ encap is configured within the subinterface.
Router#sh running-config int Gi1/1
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
interface GigabitEthernet 1/1.10
encapsulation dot1Q 10 second-dot1q 20
ip address 20.20.20.2 255.255.255.0
Verification
Use the following commands to verify operations.
Command
|
Purpose
|
Router# show ethernet service instance [id instance-id | interface interface-id | interface interface-id] [detail]
|
Displays information about:
•Specific EVCs if an EVC ID is specified
•All the EVCs on an interface if an interface is specified.
The detailed option provides additional information about the EVC. This can be given on RP and LC consoles to determine Custom Ethertype configured under a physical port.
|
Troubleshooting
Table 4-18 provides troubleshooting solutions for the Custom Ethertype feature.
Table 4-18
Problem
|
Solution
|
Error in custom ethertype programming for all the UP links
|
Use the show platform npc xlif channel-id port <port sram line command to verify if the port-sram is programmed correctly and displays the configured ethertype. Share the output with TAC for further investigation.
|
Incorrect programming of cusom-ethertype in a port-channel subinterface
|
Use the show vlan internal usage command to trace errors related to custom etherytype programming and find the internal VLAN allocated to the sub-interface. You can use the internal VLAN to verify if the XLIF entry is present in the ES40 line card. Use this to verify if the custom ethertype is properly programmed in the XLIF.
|
Unknown errors and events on the port channel
|
Use the debug platform port-channel [event, error] command to trace the port channel events and errors. Share the output with TAC for further investigation.
|
Troubleshooting Scenarios
GE LAG with LACP on UNI with Advanced Load Balancing
The GE Link Aggregation with Advanced Load Balancing feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.
Restrictions and Usage Guidelines
When configuring GE Link Aggregation with Advanced Load Balancing, follow these guidelines and restrictions:
•When the user configures a link ID for a port-channel member link and configures that member link as the preferred egress link for some service instances in that port-channel, there is redistribution of traffic. The redistribution is such that:
– Service instances that were configured to be sent over the preferred egress member link is sent over the preferred member link. This is expected behavior.
– Redistribution of traffic for which the user has not configured preferred member link happens. The way this redistribution happens is as follows:
For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,
Member 1—Load share bit 0, Member 2—Load share bit 1,
Member 3—Load share bit 2, Member 4—Load share bit 3,
Member 5—Load share bit 4, Member 6—Load share bit 5,
Member 6—Load share bit 6, Member 7—Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,
Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)
Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.
Configuring GE Link Aggregation with Advanced Load Balancing
This section describes how to configure GE LAG with LACP on UNI with Advanced Load Balancing.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. channel-group channel-group-number mode {active | on | passive} link id
5. exit
6. interface port-channel number
7. [no] service instance id {Ethernet [service-name]}
8. encapsulation dot1q vlan-id [second-dot1q vlan-id]
9. exit
10. exit
11. interface port-channel number
12. [no] port-channel load-balance link ID
13. [no] backup link ID_list
14. [no] service-instance service_instance_list
15. [no] group service_group_list
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
channel-group channel-group-number mode {active |
on | passive} link id
Example:
Router(config-if)# channel-group 2 mode on link 3
|
Assigns and configures an EtherChannel interface to an EtherChannel group.
|
Step 5
|
exit
Example:
Router(config-if)# exit
|
Exits the current configuration mode.
|
Step 6
|
interface port-channel number
Example:
Router(config)# interface port-channel 11
|
Creates the port-channel interface.
|
Step 7
|
[no] service instance id {Ethernet
[service-name]}
Example:
Router(config-if)# service instance 101 ethernet
|
Creates a service instance (an instantiation of a service instance) on an interface and sets the device into the config-if-srv submode.
|
Step 8
|
encapsulation dot1q vlan-id [second-dot1q
vlan-id]
Example:
Router(config-if-srv)# encapsulation dot1q 10
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 9
|
exit
Example:
Router(config-if-srv)# exit
|
Exits the current configuration mode.
|
Step 10
|
exit
Example:
Router(config-if)# exit
|
Exits the current configuration mode.
|
Step 11
|
interface port-channel number
Example:
Router(config)# interface port-channel 11
|
Creates the port-channel interface.
|
Step 12
|
[no] port-channel load-balance link ID
Example:
Router(config-if)# port-channel load-balance link
3
|
Configures the specified member link interfaces for load-balancing the port-channel's egress traffic and enters the load-balancing configuration submode.
|
Step 13
|
[no] backup link ID_list
Example:
Router(config-if-lb)# backup link 7
|
Configures a list of member links to use as backup for the primary load-balancing member link.
You can create multiple backup links using the backup link command. The backup links are used in order of configuration if a Port-channel member is down. A default platform algorithm is used to find the backup links if all the configured backup links are down.
|
Step 14
|
[no] service-instance service_instance_list
Example:
Router(config-if-lb)# service-instance 10
|
Defines the set of service Ethernet instances whose traffic should egress over the member link identified by configuration in Step 12.
|
Step 15
|
[no] group service_group_list
Example:
Router(config-if-lb)# group 10
|
Defines the Ethernet service groups that will be load-balanced over an interface.
|
Example
The following example shows four member links across two different channel-groups:
Router(config)# interface Gi0/1
Router(config-if)# channel-group 1 mode on link 3
Router(config)# interface Gi0/2
Router(config-if)# channel-group 1 mode on link 4
Router(config)# interface Gi0/3
Router(config-if)# channel-group 2 mode on link 3
Router(config)# interface Gi0/4
Router(config-if)# channel-group 2 mode on link 7
Router(config)# interface Port-channel1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if-srv)# service instance 20 ethernet
Router(config-if-srv)# encapsulation dot1Q 20
Router(config-if-srv)# service instance 60 ethernet
Router(config-if-srv)# group 10
Router(config-if-srv)# service instance 70 ethernet
Router(config-if-srv)# group 10
Additional service instance definitions follow:
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 4
Router(config-if-lb)# service-instance 10,20-22
Router(config-if)# port-channel load-balance link 4
Router(config-if-lb)# service-instance 30-40
Router(config-if-lb)# group 10
Router(config)# interface Port-channel2
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 7
Router(config-if-lb)# service-instance 10
Verification
Use the following commands to verify operation.
Table 4-19 Commands for Displaying Traffic Storm Control Status and Configuration
Command
|
Purpose
|
Router# show ethernet service instance interface interface
load-balance
|
Displays the current egress member-link assignments for service instances configured with port-channel load-balancing.
|
Router# show ethernet service instance id efp interface
port-channel group detail
|
Displays detailed status for the specified service instance, including the egress member-link assignment, if any.
|
Troubleshooting Load Balancing Features
Table Table 4-20 provides troubleshooting solutions for the LoadBalancing features.
Table 4-20 Troubleshooting Scenarios
Problem
|
Solution
|
Link group creation command is rejected with an error message "Incomplete command".
|
Re-configure the link group with the specific link ID and these keywords:
•port-channel load-balance link:<< Missing link ID>>
•no port-channel load-balance link : << Missing link ID>>
•default port-channel load-balance link: << Missing link ID
•port-channel load-balance: << Missing 'link' keyword
•port-channel: << Missing 'load-balance' keyword>>
|
Error message "Invalid input detected".
|
Re-configure the link group with valid IDs.
|
Back up link command is rejected and an error message displayed
|
Ensure that:
•The back up link ID does not overlap with the primary link ID.
•You have not exceeded the permissible number of back up links.
•You have not entered a sub-mode command in a deleted load-balance group.
|
Invalid input
|
•Execute the show run command to confirm if duplicate back up link IDs exists between two link groups.
•Ensure that the configured EFPs have valid IDs.
•Ensure that you have not configured an existing EFP ID in a different link group.
|
Member link is disabled
|
Use the show etherchannel port-channel command to verify the load share of each member link. Study the derived output and share the information with TAC for further investigation.
|
Traffic is not dsitributed equally among all members (Port channel load balancing issue)
|
Use the show ethernet service instance interface port-channel load-balance command to verify the load balancing information for all the port channels. Share the output with TAC for further investigation.
|
Traffic is not dsitributed equally among all members (EFP load balancing issues)
|
Use the show ethernet service instance id efp interface port-channel group detail command to verify and display the the load balancing information for the EFPs. Share the output with TAC for further investigation.
|
Storm Control on Switchports and Ports Having EVCs
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast or multicast traffic storm on physical interfaces. The traffic storm control level is set as a percentage of the total available bandwidth of the port.
For information on LAN-based Ethernet line card Broadcast Storm Control, see the chapter `Configuring Traffic Storm Control' in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide at: http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/storm.html.
This feature implements a mechanism to detect and control broadcast/multicast congestion/storm scenario via rate control mechanism in ES line cards.
Storm control for ES20 and ES+ cards is supported on:
•Switchports
Note Layer 3 (routed port) to Layer 2 (switchport) conversion is allowed only when there are no subinterfaces configured on the port.
•Ports with EVC configurations
The feature is per port, not per EVC. Hence, all EVCs under the port are subject to the same storm control rate.
In Cisco IOS Release 15.0(1)S, the following storm control feature enhancements are covered on 67xx, 6196, ES20 and ES+ line cards:
•Port-channel interfaces: Support for port-channel interfaces on ES20 and ES+ line cards.
•Shutdown: When a storm is detected and the storm traffic exceeds the accepted threshold, the affected interface moves to error disable state. The traffic threshold is calculated as a percentage of the total bandwidth of the port (%BW). Use the error disable detection and the recovery feature, or the shut or no shut command to re-enable the port on the affected interface.
•Trap: An SNMP trap can be sent when a storm is detected.
Detecting a Broadcast Storm
A broadcast storm is detected when the following occurs:
•The port receives multicast and broadcast traffic beyond its configured bandwidth.
•The value of the TotalSuppDiscards counter increments. This value is displayed when you use the show interface gigabitEthernet <slot/port> counters storm-control command.
Restrictions and Usage Guidelines
Use the following guidelines and restrictions while configuring traffic storm control:
Note These restrictions and usage guidelines apply only to the Cisco 7600 Series ES+ line cards.
•Traffic storm control is disabled by default.
•Unicast storm control is not supported.
•Storm control on Layer 3 interfaces is not supported.
•Storm control feature cannot be configured at the EVC Level.
•Storm control rate can not be specified in Packets/Second (PPS).
•The broadcast and multicast suppression share the same suppression rate, therefore, when you configure a different rate either for broadcast or multicast the new rate will apply to broadcast and multicast.
•Storm control feature is not supported on the member interfaces of a port channel.
•Untagged frames can be subjected to storm control by having a service instance which marks all untagged frames. Once such a service instance is created, these frames behave like any storm control on any other EVC.
•Specify the level as a percentage of the total interface bandwidth:
–The level can be from 0 to 100.
–The optional fraction of a level can be from 0 to 99.
–100 percent means no traffic storm control.
–0.0 percent suppresses all traffic.
–You can specify the percentage rate to allow in units of 0.01%.
•The maximum storm control rate is 4 Gbps (on 10 Gigabit interfaces it can be 40% of line rate)
•Storm control works in switchport dot1q-tunnel mode.
•When storm control is applied on an interface that has an inbound Layer 2 ACL applied, all packets are dropped irrespective of the configured suppression level.
•Any additions or changes made to the storm control configuration on the port-channel interface is automatically updated across all the port-channel member-links.
•Storm control configuration or deletion is not allowed on member-links.
•You can add an interface to a port-channel if the storm control configuration on the interface and the port-channel are alike.
–You can either club member-links to form a port- channel and then configure the port-channel or change the storm control configuration on the interface to match with the port-channel, before adding it to the port-channel.
•Using the default interface command twice, removes the storm control feature from a member-link interface.
Configuring Storm Control on Ports with EVC Configurations
This section describes how to configure storm control on ports with EVC configurations.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. [no] service instance id {Ethernet service-name}
5. encapsulation dot1q vlan-id
6. [no] bridge-domain bridge-id
7. storm-control {broadcast | multicast} level level[.level]
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
[no] service instance id Ethernet
[service-name}
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 13
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
[no] bridge-domain bridge-id
Example:
Router(config-subif)# bridge domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.
|
Step 7
|
storm-control {broadcast | multicast}
level level[.level]
Example:
Router(config-if)# storm-control
broadcast level 30
|
Sets the storm control suppression level.
|
Example
This example shows a configuration for ports with EVCs on them:
Router# configure terminal
Router(config)# interface GigabitEthernet 4/1
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 20
Router(config-if-srv)# bridge-domain 10
Router(config-if)# storm-control multicast level 45
Configuring Storm Control on Switchports
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. switchport
5. switchport mode {access | dot1q-tunnel | dynamic {auto | desirable} | private-vlan | trunk}
6. storm-control {broadcast | multicast} level level[.level]
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
Example:
Router(config-if)# switchport
|
Sets the switching characteristics of the Layer 2-switched interface.
|
Step 5
|
switchport mode {access | dot1q-tunnel | dynamic
{auto | desirable} | private-vlan | trunk}
Example:
Router(config-if)# switchport mode trunk
|
Sets the interface type.
|
Step 6
|
storm-control {broadcast | multicast} level
level[.level]
Example:
Router(config-if)# storm-control broadcast level
30
|
Sets the storm control suppression level.
|
Example
This example shows a configuration for ports with switchport configuration:
Router# configure terminal
Router(config)# interface GigabitEthernet 4/1
Router(config)# switchport
Router(config)# switchport mode trunk
Router(config)# storm-control multicast level 45
Configuring Storm Control on Port Channels
Perform the following tasks to configure storm control on port channels:
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server enable traps storm-control trap-rate trap-rate
4. interface type slot/bay/port
5. storm-control {{broadcast | multicast} level level | action {shutdown | trap}}
6. end
7. show interfaces type/slot/port counters storm-control
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
snmp-server enable traps storm-control trap-rate
trap-rate
Example:
Router(config)# snmp-server enable traps
storm-control trap-rate 2
|
(Optional) Enables SNMP storm control trap parameters. The trap-rate range is 0 to 1000 traps per minute. However, the number of traps generated for storm control cannot exceed six per minute (by design).
|
Step 4
|
interface type slot/bay/port
Example:
Router(config)# interface port-channel 1/0/18
|
Selects an interface to configure.
|
Step 5
|
storm-control {{broadcast | multicast} level
level | action {shutdown | trap}}
Example:
Router(config-if)# storm-control broadcast level
50
Router(config-if)# storm-control action shutdown
|
Sets the broadcast and multicast suppression level for traffic storm control on the interface. Enables an action for traffic storm control the interface, such as, shuts down an interface or sends an SNMP trap. However, broadcast or multicast level suppression must be enabled before setting the action.
Note A suppression level of 100% means no suppression will occur and 0% suppression means no traffic of the suppressed type will be allowed.
The no form of the command disables storm control for broadcast or multicast traffic or disables the specified storm-control action, on the selected interface.
Note Unicast level traffic suppression is not supported on port channel interface.
|
Step 6
|
end
|
Exits the configuration mode.
|
Step 7
|
show interfaces type/slot/port counters
storm-control
Example:
Router# show interfaces gigabitEthernet 4/1
counters storm-control
|
Displays the total number of packets (%) discarded for the three traffic storm control levels (broadcast, multicast and unicast) on the specified interface.
Displays the statistics for the TotalSuppDiscards counter. This counter increments whenever a traffic storm occurs.
|
For more information regarding the commands, see the following command reference guides:
•Cisco IOS Interface and Hardware Component Command Reference
•Cisco IOS Network Management Command Reference
Example
The following is a sample configuration for storm control on a Layer 2 port channel on the ES+ line card:
switchport trunk encapsulation dot1q
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
interface GigabitEthernet2/13
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
interface GigabitEthernet2/21
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
Use the show interfaces interface counters storm-control command to display the total suppression percentage of packets for the broadcast, multicast and unicast storm control traffic on all interfaces or on a specified interface. The storm control shutdown on an interface depends on the `TotalSuppDiscards' counter (displayed in the example). This counter increments when a traffic storm occurs.
Router# show interfaces counters storm-control
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/1 100.00 100.00 100.00 0
Gi1/2 100.00 100.00 100.00 0
Gi1/3 100.00 100.00 100.00 0
Gi1/4 100.00 100.00 100.00 0
Gi1/5 100.00 100.00 100.00 0
Gi1/6 100.00 100.00 100.00 0
Gi1/7 100.00 20.00 20.00 2943374677
Gi1/8 100.00 100.00 100.00 0
Gi1/9 100.00 100.00 100.00 0
Gi1/10 100.00 100.00 100.00 0
Gi1/11 100.00 100.00 100.00 0
Gi1/12 100.00 100.00 100.00 0
Gi1/13 100.00 100.00 100.00 0
Gi1/14 100.00 100.00 100.00 0
Gi1/15 100.00 100.00 100.00 0
Gi1/16 100.00 100.00 100.00 0
Gi1/17 100.00 100.00 100.00 0
Gi1/18 100.00 100.00 100.00 434529474
Gi1/19 100.00 100.00 100.00 0
Gi1/20 100.00 100.00 100.00 0
Gi1/21 100.00 100.00 100.00 0
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/22 100.00 100.00 100.00 499018427
Gi1/23 100.00 100.00 100.00 0
Gi1/24 100.00 100.00 100.00 0
Gi1/25 100.00 100.00 100.00 0
Gi1/26 100.00 100.00 100.00 0
Gi1/27 100.00 100.00 100.00 0
Gi1/28 100.00 100.00 100.00 0
Gi1/29 100.00 100.00 100.00 0
Gi1/30 100.00 100.00 100.00 0
Gi1/31 100.00 100.00 100.00 0
Gi1/32 100.00 100.00 100.00 0
Gi1/33 100.00 100.00 100.00 0
Gi1/34 100.00 100.00 100.00 0
Gi1/35 100.00 100.00 100.00 0
Gi1/36 100.00 100.00 100.00 0
Gi1/37 100.00 100.00 100.00 0
Gi1/38 100.00 100.00 100.00 0
Gi1/39 100.00 100.00 100.00 0
Gi1/40 100.00 100.00 100.00 0
Router# show interfaces gig1/18 counters storm-control
Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards
Gi1/18 100.00 100.00 100.00 434529474
Verification
Use the following commands to verify operation.
Table 4-21 Commands for Displaying Traffic Storm Control Status and Configuration
Command
|
Purpose
|
Router# show interfaces [{type1 slot/port} | switchport]
|
Displays the administrative and operational status of all Layer 2 LAN ports or the specified Layer 2 LAN port.
|
Router# show interfaces [{type1 slot/port} | counters
storm-control
Router# show interfaces counters storm-control [module
slot_number]
|
Displays the total number of packets discarded for all three traffic storm control modes, on all interfaces or on the specified interface.
|
Storm Control over EVC
Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic, and degrading network performance.
Currently for ports where EVCs are configured, storm control can be configured per port. When you configure storm control on a port, policing is applied on all the traffic on that port. Each EVC in a port represents different types of customers such as different businesses or business and individuals on the same port. When a traffic storm occurs, all traffic on the port is blocked impacting customers on all the EVCs . To prevent this, service providers need to combine similar types of customers on the same port.
Effective with Cisco IOS 15.2(2)S, storm control is supported on EVCs and policing can be applied at the EVC level. This feature enables service providers to combine different type of customers on the same port.
Restrictions for Storm Control over EVC
Following restrictions apply to storm control over EVC:
•Storm control over EVC can be configured on connect, cross connect and bridge-domain interfaces.
•Storm control is supported on port channel EVCs.
•Storm control over EVC can be configured only for broadcast or multicast packets, not for unicast packets.
•If storm control is already configured at the port level, you cannot configure storm control over EVC and vice versa.
•When an EVC moves to the error-disable state, auto-recovery can be configured for storm-control after a certain pre-determined interval.
•Storm control over EVC is supported only on the Cisco 7600 ES+ line card.
•SNMP trap is not supported.
•If storm control is enabled on a port channel EVC, the configuration is applied per network processor (NP).
•Only 256 policer profiles are supported per network processor.
•QoS and storm-control share the same hardware policer resources.
Configuring Storm Control over EVC
Perform these steps to configure storm control over EVC feature.
Summary Steps
1. enable
2. configure terminal
3. interface type number
or
interface port-channel number
4. service instance id ethernet
5. encapsulation dot1q vlan-id
6. storm control {{broadcast | multicast} cir cir| action shutdown}
7. bridge-domain bridge-id
8. end
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode. If prompted, enter your password.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
or
interface port-channel number
Example:
Router(config)# interface
gigabitethernet 4/1
|
Specifies the gigabit ethernet or the ten gigabit ethernet interface, or port channel to configure.
•slot/port—Specifies the location of the interface.
•number— Specifies the port channel interface.
|
Step 4
|
service instance id Ethernet
[service-name}
Example:
Router(config-if)# service instance 101
ethernet
|
Creates a service instance (an instantiation of an EVC) on the interface.
|
Step 5
|
encapsulation dot1q vlan-id
Example:
Router(config-if-srv)# encapsulation
dot1q 100
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 6
|
bridge-domain bridge-id
Example:
Router(config-subif)# bridge-domain 12
|
Binds the service instance to a bridge domain instance where bridge-id is the identifier.
|
Step 7
|
storm-control {{broadcast | multicast}
cir cir-value | action shutdown }
Example:
Router(config-if)# storm-control
broadcast cir 11000000
|
Sets the storm control rate for broadcast or multicast. Enables an action for traffic storm control on the interface, such as, shutting down an interface.
cir-value - The acceptable range is 10000000 -1000000000 for a gigabit ethernet interface, and 100000000-10000000000 for a ten gigabit interface. The recommended maximum value is up to 98 percent.
|
Step 8
|
end
Example:
Router(config-if)# end
|
Exits the configuration mode.
|
Note When the ingress packets exceed the configured rate, the EVC moves to error-disable state if the action is configured as shutdown. You can configure the EVC to move to up state after a certain interval using errdisable recovery casue storm-control interval command. The accepted interval varies from 30 to 86400 seconds.
Examples
This example shows how to configure storm control over an EVC.
Router# configure terminal
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# bridge-domain 200
Router(config-if-srv)# storm-control broadcast cir 11000000
Router(config-if)# end
This example shows how to configure storm control over a port channel EVC.
Router# configure terminal
Router(config)# interface port-channel 1
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 200
Router(config-if-srv)# bridge-domain 100
Router(config-if-srv)# storm-control multicast cir 11000000
Router(config-if)# end
Verification
Use the show ethernet service instance id id interface type slot/port stats command to verify the storm control over EVC configuration.
Router# show ethernet service instance id 1204 interface gigabit ethernet 2/7 stats
Port maximum number of service instances: 8000
Service Instance 1204, Interface GigabitEthernet2/7
Pkts In Bytes In Pkts Out Bytes Out
2262238 452447600 150570 30114000
StormControl Discard Pkts: 1809909
Asymmetric Carrier-Delay
During redundant link deployments where the remote network element is enabled, a link or port may be displayed as up before the port or link is ready to forward data. This anomaly leads to traffic loss during switchover as up events are notified faster than the required routing protocol convergence time. With existing conventional carrier delay, both up and down events are notified within equal time that might not be feasible in certain network deployments. Asymmetric carrier-delays ensure stable topologies compared to conventional carrier-delay implementation.
Table 4-22 lists the differences between the conventional carrier-delay and asymmetric carrier-delay implementations.
Table 4-22
Conventional carrier-delay implementation
|
Asymmetric carrier-delay implementation
|
You can configure carrier-delay on a main physical interface.
|
You can configure asymmetric carrier-delay on a main physical interface.
|
The default value for configuring symmetric carrier delay is 10 milliseconds.
|
The default values for configuring asymmetric carrier-delay is as follows:
For ES+ GE linecards:
•up time is 300 milliseconds.
•down time is 10 milliseconds.
For ES+ 10 GE linecards:
•up time is 1000 milliseconds.
•down time is 10 milliseconds.
|
You can configure a single delay value used by both up and down events.
|
You can configure separate delay values for each down and up timers.
|
Traffic losses and timer optimization issues due to single configurable delay values for both up and down events.
|
Optimal timer configurations are achieved due to separate for timer values for up and down events.
|
Conventional Carrier-delay versus Asymmetric Carrier-delay
Restrictions and Usage Guidelines
•The minimum valid carrier-delay down time that user can configure is 11 milliseconds for Gigabit ports. By default, carrier-delay is configured to 10 milliseconds during a card bootup. However, even if you configure a value less than 11 milliseconds , there will not be any impact on the carrier delay.
•As the fast link feature and carrier-delay features are mutually exclusive, fast link feature is enabled by default.
•If you configure carrier-delay values, fast link feature is disabled on a line card.
•Though the fast link feature is configured by default in the card, the carrier-delay feature overwrites the fast link feature when configured.
•If you have not configured the carrier-delay values, fast link feature values are utilized for down event notification.
Note If you are using Cisco IOS release version 12.2(33) SRE or prior versions and asymmetric carrier delay is configured on the interface, the show running-config command may display carrier-delay msec 0. This issue is fixed in Cisco IOS 15.0(1)S and further releases.
Configuring Asymmetric Carrier Delay
Perform these steps to configure asymmetric carrier delay.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type/ slot/port
4. carrier-delay [{up | down} [seconds]{msec| sec}]
5. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type/ slot/port
Example:
Router(config)# interface gigabit
ethernet 8/0/14
|
Selects the main interface to configure.
|
Step 4
|
carrier-delay [{up | down}
[seconds]{msec| sec}]
Example:
Router(config-if)# carrier-delay up 300
Router(config-if)# carrier-delay down 10
|
Configures the asymmetric carrier-delay up or down value in milliseconds or seconds.
|
Step 5
|
end
Router(config-if)# end
|
Exits the configuration mode.
|
Verification
You can use the show run command to display the carrier-delay configurations on an ES+ physical interface. The first example shows asymmetric carrier-delay configuration and the second example shows symmetric carrier delay configuration.
Router# show running-config interface GigabitEthernet 8/0/4
Building configuration...
interface GigabitEthernet8/0/4
Router# show running-config interface GigabitEthernet 2/0/1
Building configuration...
interface GigabitEthernet2/0/1
Manual Load Balancing for EVC over Port-Channel/LACP
The Manual Load Balancing for EVC over Port-Channel/LACP feature allows the user to specify the primary and multiple backup preferred member links for the service instance. Whenever the primary member link is available (the interface is up and is part of the port-channel group), it is used as the egress interface for a given service instance. When the preferred member link is not available (the interface is down or not part of the port-channel group), a backup member link is used. If none of the backup links are available or the user has neither configured the primary or the backup links, the 7600 platform automatically selects an egress interface for the given service instance. In this case, the user has no control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup links is selected as the egress interface. At this stage, when the primary interface comes up, there is a switch back to the primary interface. The backup link is selected based on the order of the configured list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup link in the list is used. This continues until an available backup link is found.
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic. In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect (xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect configuration. This feature coexists with current service instance feature support and supports the existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface). This feature supports HA and SSO as well as OIR.
Restrictions and Usage Guidelines
When configuring Manual Load Balancing for EVC over Port-Channel/LACP, follow these guidelines and restrictions:
•When the user configures a link ID for a port-channel member link and configures that member link as the preferred egress link for some service instances in that port-channel, there is redistribution of traffic. The redistribution is such that:
–Service instances that were configured to be sent over the preferred egress member link is sent over the preferred member link. This is expected behavior.
–Redistribution of traffic for which the user has not configured preferred member link happens. The way this redistribution happens is as follows:
For example, let's say there are 8 member links in the port-channel. The load share of the member links is allocated by the port manager as follows,
Member 1—Load share bit 0, Member 2—Load share bit 1,
Member 3—Load share bit 2, Member 4—Load share bit 3,
Member 5—Load share bit 4, Member 6—Load share bit 5,
Member 6—Load share bit 6, Member 7—Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates load share bit 2 to member 1. So, the new assignments are,
Member 1—Load share bit 2, Member 3—Load share bit 0 (The load share of other members remains the same.)
Consider the example where the platform has chosen an egress link that has the load share bit 2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent over Member 3. After the user configuration, since member 1 now has the load share bit = 2, this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration now goes through member 3.
Configuring Manual Load Balancing for EVC over Port-Channel/LACP
This section describes how to configure manual load balancing for EVC over Port-Channel/LACP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port or interface tengigabitethernet slot/port
4. channel-group channel-group-number mode {active | on | passive} link id
5. exit
6. interface port-channel number
7. [no] service instance id {Ethernet [service-name]}
8. encapsulation dot1q vlan-id [second-dot1q vlan-id]
9. exit
10. exit
11. interface port-channel number
12. [no] port-channel load-balance link ID
13. [no] backup link ID_list
14. [no] service-instance service_instance_list
15. [no] group service_group_list
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface gigabitethernet slot/port
or
interface tengigabitethernet slot/port
Example:
Router(config)# interface gigabitethernet 4/1
|
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where:
•slot/port—Specifies the location of the interface.
|
Step 4
|
channel-group channel-group-number mode {active |
on | passive} link id
Example:
Router(config-if)# channel-group 2 mode on link 3
|
Assigns and configures an EtherChannel interface to an EtherChannel group.
|
Step 5
|
exit
Example:
Router(config-if)# exit
|
Exits the current configuration mode.
|
Step 6
|
interface port-channel number
Example:
Router(config)# interface port-channel 11
|
Creates the port-channel interface.
|
Step 7
|
[no] service instance id {Ethernet
[service-name]}
Example:
Router(config-if)# service instance 101 ethernet
|
Creates a service instance (an instantiation of a service instance) on an interface and sets the device into the config-if-srv submode.
|
Step 8
|
encapsulation dot1q vlan-id [second-dot1q
vlan-id]
Example:
Router(config-if-srv)# encapsulation dot1q 10
|
Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance.
|
Step 9
|
exit
Example:
Router(config-if-srv)# exit
|
Exits the current configuration mode.
|
Step 10
|
exit
Example:
Router(config-if)# exit
|
Exits the current configuration mode.
|
Step 11
|
interface port-channel number
Example:
Router(config)# interface port-channel 11
|
Creates the port-channel interface.
|
Step 12
|
[no] port-channel load-balance link ID
Example:
Router(config-if)# port-channel load-balance link
3
|
Configures the specified member link interfaces for load-balancing the port-channel's egress traffic and enters the load-balancing configuration submode.
|
Step 13
|
[no] backup link ID_list
Example:
Router(config-if-lb)# backup link 7
|
Configures a list of member links to use as backup for the primary load-balancing member link.
You can create multiple backup links using the backup link command. The backup links are used in order of configuration if a Port-channel member is down. A default platform algorithm is used to find the backup links if all the configured backup links are down.
|
Step 14
|
[no] service-instance service_instance_list
Example:
Router(config-if-lb)# service-instance 10
|
Defines the set of service Ethernet instances whose traffic should egress over the member link identified by configuration in Step 12.
|
Step 15
|
[no] group service_group_list
Example:
Router(config-if-lb)# group 10
|
Defines the Ethernet service groups that will be load-balanced over an interface.
|
Example
The following example shows four member links across two different channel-groups:
Router(config)# interface Gi0/1
Router(config-if)# channel-group 1 mode on link 3
Router(config)# interface Gi0/2
Router(config-if)# channel-group 1 mode on link 4
Router(config)# interface Gi0/3
Router(config-if)# channel-group 2 mode on link 3
Router(config)# interface Gi0/4
Router(config-if)# channel-group 2 mode on link 7
Router(config)# interface Port-channel1
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if-srv)# service instance 20 ethernet
Router(config-if-srv)# encapsulation dot1Q 20
Router(config-if-srv)# service instance 60 ethernet
Router(config-if-srv)# group 10
Router(config-if-srv)# service instance 70 ethernet
Router(config-if-srv)# group 10
Additional service instance definitions follow:
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 4
Router(config-if-lb)# service-instance 10,20-22
Router(config-if)# port-channel load-balance link 4
Router(config-if-lb)# service-instance 30-40
Router(config-if-lb)# group 10
Router(config)# interface Port-channel2
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# backup link 7
Router(config-if-lb)# service-instance 10
Verification
Use the following commands to verify operation.
Table 4-23 Commands for Displaying Traffic Storm Control Status and Configuration
Command
|
Purpose
|
Router# show ethernet service instance interface interface
load-balance
|
Displays the current egress member-link assignments for service instances configured with port-channel load-balancing.
|
Router# show ethernet service instance id efp interface
port-channel group detail
|
Displays detailed status for the specified service instance, including the egress member-link assignment, if any.
|
EVC Port Channel Per Flow Load Balancing
EVC port channel per flow load balancing is implemented to load balance traffic across member links of a port channel when EVCs are configured. If this type of load balancing is not configured, EVCs configured on a port channel are statically mapped to one of the active port-channel member links, which results in the outgoing traffic being limited to the bandwidth of the member link.
In a flow based load balancing on EVC port channel, different flows of traffic over an EVC interface are identified based on the data packet header. For example, the source and destination address of the data packet can be used to identify a flow. The various data traffic flows are then mapped to the different member links of a port channel. After the mapping is complete, the data traffic is transmitted through the assigned member link. The flow mapping is dynamic and changes when there is any change in the state of a member link to which a flow is assigned. The flow mappings can also change if member links are added or removed from the EVC interface. Multiple flows can be mapped to each member link.
Table 4-24 lists the ACL support for EVC port channel with per-flow load balancing.
Table 4-24 ACL Support for
ACL Type
|
Ingress Support
|
Egress Support
|
Layer 2
|
Yes
|
No
|
Layer 3 and Layer 4
|
Yes
|
Yes
|
Port Channel Per-flow Load Balancing
Ingress ACLs are internally configured on every member interface because the traffic can enter any of the member links. Therefore, the load balancing algorithm does not change the way the ingress ACLs behave.
When per-flow load balancing is configured on the port-channel, traffic for an EVC can exit from any of the member links. Therefore, with the per-flow load balancing feature enabled on the port channel, the egress ACL is internally configured on each of the member links in the egress direction. When the per-flow load balancing configuration is removed from the port-channel interface, the egress ACL information is internally removed from each active member link, and configured on the member selected by the load balancing algorithm.
Restrictions
Following restrictions apply for EVC port channel per flow load balancing:
•When flow-based load balancing is configured, bandwidth of the port channel should be configured such that it is equal to the member link's port bandwidth. Use the bandwidth bandwidth_value command in the port-channel interface.
•EVC port channel per flow load balancing is supported over connect and cross connect.
•EVC port channel per flow load balancing is not supported over a bridge domain.
•Flow based load balancing cannot co-exist with other load balancing schemes.
•If you configure QoS on a EVC port channel, QoS policies are installed on each port channel member link with the same QoS configuration of the EVC port channel. For example, if you configure 1 Mbps bandwidth on a EVC port channel with four active member links, 1 Mbps is configured on each member link.
•If EVCs within a port-channel interface are part of a service group with EVCs and sub interfaces configured, you cannot remove the flow-based load balancing configuration.
•EVC port channel per flow load balancing is done on MAC source and destination, and VC label.
Configuring EVC Port Channel Per Flow Load Balancing
This section describes how to configure flow based load balancing on EVC port channel.
Summary Steps
1. enable
2. configure terminal
3. interface port-channel channel-number
4. port-channel load-balance flow-based
5. end
Detailed Steps
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
|
Enables privileged EXEC mode. Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface port-channel channel-number
Example:
Router(config)# interface port-channel 1
|
Creates the port-channel interface.
|
Step 4
|
|
Feedback
