Table Of Contents
clear crypto engine accelerator counter
debug hw-module subslot commands
debug hw-module subslot errors
debug hw-module subslot events
debug hw-module subslot interrupts
debug hw-module subslot ipcshim
debug hw-module subslot periodic
logging-events (T1-E1 controller)
random-detect dscp (aggregate)
random-detect precedence (aggregate)
show crypto engine accelerator statistic
show hw-module slot tech-support
show hw-module subslot transceiver
show redundancy linecard-group
show upgrade fpd package default
upgrade hw-module slot fpd file
upgrade hw-module subslot fpd file
SIP, SSC, and SPA Commands
This chapter documents new, modified, and replaced commands. All other commands used with this feature are documented in related Cisco 7600 Series Router Command Reference publications for your release, and the Cisco IOS Release 12.2 command reference and master index publications.
Commands in this document that have been replaced by new commands continue to perform their normal function in this release but are no longer documented. Support for these commands will cease in a future release.
Note
Some of the commands in this chapter apply to multiple Cisco products and are supported on different platforms. The documentation for these commands describes differences in syntax and usage for certain platform or product variations. Therefore, when you see multiple forms of syntax, examples, or usage guidelines for a command in this guide, be sure to locate the heading within the command reference page that corresponds to the related SPA (or SIP) for your platform.
New Commands
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Modified Commands
•
•
•
•
•
Replaced Commands
bridge-vlan
bridge-domain (VC configuration)
show controller cwan
show hw-module slot
bridge-domain (VC configuration)
bridge-domain
crypto engine subslot
crypto engine slot
atm sonet report
To enable the reporting of some or all ATM Synchronous Optical Network (SONET) alarms, use the atm sonet report command in interface or subinterface configuration mode. To disable the reporting of some or all ATM SONET alarms, use the no form of this command.
atm sonet report {all | b1-tca | b2-tca | b3-tca | lais | lrdi | none [ignore] | pais | plop | pplm | prdi | ptim | puneq | sd-ber | sf-ber | slof | slos}
no atm sonet report {all | b1-tca | b2-tca | b3-tca | lais | lrdi | none [ignore] | pais | plop | pplm | prdi | ptim | puneq | sd-ber | sf-ber | slof | slos}
Syntax Description
Defaults
PLOP, SLOF, and SLOS alarms are enabled. All other alarms are not enabled.
Command Modes
Interface or subinterface configuration
Command History
Usage Guidelines
The atm sonet report command enables one or more of the possible SONET alarms that can be generated by the ATM interface. By default, only the PLOP, SLOF, and SLOS alarms are enabled, but you can enable the other alarms or all alarms, as well. You can also disable one or all of the alarms using the no form of the command.
Examples
The following example shows how to enable the alarm for B1 threshold crossings:
Router# configure terminal
Router(config)# interface atm 3/1/1
Router(config-if)# atm sonet report b1-tca
Router(config-if)# end
Router#
The following example shows multiple SONET alarms being enabled for an ATM interface:
Router# configure terminalRouter(config)# interface atm 5/0/1Router(config-if)# atm sonet report b1-tcaRouter(config-if)# atm sonet report b2-tcaRouter(config-if)# atm sonet report b3-tcaRouter(config-if)# atm sonet report plopRouter(config-if)# atm sonet report sf-berRouter(config-if)# atm sonet report slofRouter(config-if)# atm sonet report slosRouter(config-if)# endRouter#The following example shows an ATM interface being configured to ignore all ATM SONET alarms, so as to allow transmit-only operation. This example shows the error message that appears if you attempt to give this command when an IP address is configured on the interface. To resolve the problem, you must first remove the IP address and then repeat the command.
Router# configure terminalRouter(config)# interface atm 3/1/1Router(config-if)# ip address 192.168.100.12 255.255.255.0Router(config-if)# atm sonet report none ignore%Configuration is not allowed: IP address is already configured on ATM3/1/1Router(config-if)# no ip address 192.168.100.12 255.255.255.0Router(config-if)# atm sonet report none ignoreRouter(config-if)#
Note
%Configuration is not allowed: <interface> is already configured to ignore alarmsRelated Commands
atm sonet threshold
To configure the bit error rate (BER) threshold values for an ATM interface, use the atm sonet threshold command in interface configuration mode. To reset a threshold value to its default value, use the no form of this command.
atm sonet threshold {b1-tca value | b2-tca value | b3-tca value | sd-ber value | sf-ber value}
no atm sonet threshold {b1-tca | b2-tca | b3-tca | sd-ber | sf-ber }
Syntax Description
Defaults
The default values are 6 (10e-6) for b1-tca, b2-tca, b3-tca, and sd-ber, and 3 (10e-3) for sf-ber.
Command Modes
Interface configuration
Command History
Usage Guidelines
The atm sonet threshold command configures the allowable threshold for errors before a Synchronous Optical Network (SONET) alarm is reported. The different SONET alarms report on errors at different points in the SONET network, allowing for the source of a problem to be more easily identified.
Use the atm sonet threshold command to increase or decrease the sensitivity of the ATM interface to these SONET alarms, depending on the nature of your network and application needs. In particular, if a particular problem seems to be occurring, you can increase the sensitivity of the related alarm to help you more quickly troubleshoot and diagnose the problem.
Examples
The following example shows how to configure the threshold for B1 threshold crossings:
Router# configure terminal
Router(config)# interface atm 3/1/1
Router(config-if)# atm sonet threshold b1-tca 9Router(config-if)# end
Router#
Use the show controllers atm command to display the currently configured BER threshold values:
Router# show controllers atm 5/1/0Interface ATM5/1/0 is upFraming mode: SONET OC3 STS-3c Clock source: LineATM framing errors:HCS (correctable): 0HCS (uncorrectable): 0SONET Subblock:APSCOAPS = 0 PSBF = 0State: PSBF_state = falseRx(K1/K2): 0 /0 Tx(K1/K2): 0 /0SECTIONLOF = 0 LOS = 0 BIP(B1) = 603LINEAIS = 0 RDI = 2 FEBE = 2332 BIP(B2) = 1018PATHAIS = 0 RDI = 1 FEBE = 28 BIP(B3) = 228LOP = 0 NEWPTR = 0 PSE = 1 NSE = 2Active Defects: NoneActive Alarms: NoneAlarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCABER thresholds: SF = 10e-3, SD = 10e-6TCA thresholds: B1 = 10e-6, B2 = 10e-6, B3 = 10e-6Rx S1S0 = 00, Rx C2 = 13PATH TRACE BUFFER : STABLERouter#
Note
Related Commands
atm tx-latency
To specify the default transmit latency for an ATM Shared Port Adapter (SPA) interface, use the atm tx-latency command in interface configuration mode. To reset the default transmit latency to its default value, use the no form of this command.
atm tx-latency milliseconds
no atm tx-latency
Syntax Description
milliseconds
The default transmit latency for the interface, in milliseconds. The valid range is from 1 to 200, with a default of 100 milliseconds.
Defaults
100 milliseconds
Command Modes
Interface configuration (ATM interface only)
Command History
Usage Guidelines
The atm tx-latency command specifies the default maximum latency for all virtual circuits (VC) on a particular ATM SPA interface. This value is used, together with the value of the tx-limit command, to configure the interface and its VCs for the maximum number of transmit buffers for each VC, so that each VC can maintain the desired latency at the VC's configured line rate.
Caution
Tip
Examples
The following example shows the default transmit latency for a particular ATM SPA interface being set to 20 milliseconds:
Router# configure terminalRouter(config)# interface atm 3/1/1Router(config-if)# atm tx-latency 20Router(config-if)#Related Commands
tx-limit
Specifies the maximum number of transmit buffers for an ATM virtual circuit (VC).
bert errors
To transmit bit error ratio test (BERT) errors while running any BERT pattern, use the bert error command in interface configuration mode.
bert errors [number]
Syntax Description
Defaults
Default is 1.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to test link availability by injecting a fixed number of bert errors when a pattern is running and check that the same number of errors were received on the remote end.
Examples
This example injects 200 BERT errors in a running bit pattern on slot 5, subslot 0.
Router# configure terminalRouter(config)#interface serial 5/0/0Router(config-if)#bert errors 200Related Commands
bert pattern
Starts a BERT pattern on a port.
show controller serial
Displays serial line statistics.
bert pattern
To start a BERT pattern on a port, use the bert pattern command in interface configuration mode. Use the no bert pattern command to stop the sequence.
bert pattern {0s | 1s | 2^15 | 2^20 | 2^23 | alt-0-1 | qrss} interval minutes}
no bert pattern {0s | 1s | 2^15 | 2^20 | 2^23 | alt-0-1 | qrss} interval minutes}
Syntax Description
Defaults
Bert is disabled by default.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the bert pattern commamd to start or stop a specific bit pattern. To test link availability, start a pattern on one end and put the remote end in network loopback and verify that there are no bert errors.
Examples
This example starts a bert pattern on slot 5, bay 0.
Router# configure terminalRouter(config)# int serial 5/0/0Router(config-if)# bert pattern 0sRelated Commands
bre-connect
To enable the bridging of routed encapsulations (BRE) over a permanent virtual circuit (PVC) or switched virtual circuit (SVC), use the bre-connect command in VC configuration mode. To disable the bridging of routed encapsulations, use the no form of this command.
bre-connect vlan-id [mac mac-address]
no bre-connect
Syntax Description
Defaults
Bridging of route encapsulations is disabled.
Command Modes
VC configuration mode
Command History
Usage Guidelines
The bre-connect command allows the OC-12 ATM OSM or ATM SPA to receive RFC 1483 routed encapsulated packets and forward them as Layer 2 frames. When the bre-connect command is configured on a PVC (or SVC), the PVC (or SVC) receives routed packets, removes the RFC 1483 routed encapsulation header, and adds an Ethernet MAC header to the packet. The Layer 2 encapsulated packet is then switched to the Layer 2 interface that is determined by the VLAN number and the MAC address for the remote CPE device (if specified).
Note
Note
Examples
The following example shows a PVC being configured for BRE bridging using a VLAN ID of 10:
Router# configure terminal
Router(config)# interface atm3/1.1 point-to-point
Router(config-subif)# pvc 1/101
Router(config-if-atm-vc)# bre-connect 10
Router(config-if-atm-vc)# endRelated Commands
bridge-vlan
Configures a PVC for RFC 1483-compliant, point-to-point bridging of Layer 2 packets over an ATM interface.
show atm pvc
Displays the configuration of a particular permanent virtual circuit (PVC).
bridge-domain
To enable RFC 1483 ATM bridging or RFC 1490 Frame Relay bridging to map a bridged virtual LAN (VLAN) to an ATM permanent virtual circuit (PVC) or Frame Relay DLCI, use the bridge-domain command in interface ATM VC configuration, PVC range configuration, Frame Relay DLCI configuration, or interface configuration mode. To disable bridging, use the no form of this command.
bridge-domain vlan-id [access | dot1q [tag]| dot1q-tunnel] [broadcast] [ignore-bpdu-pid] [pvst-tlv CE-vlan] [increment] [lan-fcs] [split-horizon]
no bridge-domain vlan-id
Syntax Description
Defaults
Bridging is disabled.
Command Modes
Interface ATM VC configuration
PVC range configuration
Frame Relay DLCI configuration
Interface configuration—Only the dot1q and dot1q-tunnel keywords are supported in interface configuration mode.
Command History
Usage Guidelines
RFC 1483 bridging on ATM interfaces supports the point-to-point bridging of Layer 2 packet data units (PDUs) over Ethernet networks. RFC 1490 Frame Relay bridging on POS or serial interfaces that are configured for Frame Relay encapsulation provides bridging of Frame Relay packets over Ethernet networks.
The Cisco 7600 router has the ability to transmit BPDUs with a PID of either 0x00-0E or 0x00-07. When connecting to a device that is fully compliant with RFC 1483 Appendix B, in which the IEEE BPDUs are sent and received by the other device using a PID of 0x00-0E, you must not use the ignore-bpdu-pid keyword.
If you do not enter the ignore-bpdu-pid keyword, the PVC between the devices operates in compliance with RFC 1483 Appendix B. This is referred to as strict mode. Entering the ignore-bpdu-pid keyword creates loose mode. Both modes are described as follows:
•
•
Cisco-proprietary PVST+ BPDUs are always sent out on data frames using a PID of 0x00-07, regardless of whether you enter the ignore-bpdu-pid keyword.
Use the ignore-bpdu-pid keyword when connecting to devices such as ATM DSL modems that send PVST (or 802.1D) BPDUs with a PID of 0x00-07.
The pvst-tlv keyword enables BPDU translation when interoperating with devices that understand only PVST or IEEE Spanning Tree Protocol. Because the Catalyst 6500 series switch ATM modules support PVST+ only, you must use the pvst-tlv keyword when connecting to a Catalyst 5000 family switch that only understands PVST on its ATM modules, or when connecting with other Cisco IOS routers that understand IEEE format only.
When transmitting, the pvst-tlv keyword translates PVST+ BPDUs into IEEE BPDUs.
When receiving, the pvst-tlv keyword translates IEEE BPDUs into PVST+ BPDUs.
Note
To preserve Class of Service (CoS) information across the ATM network, use the dot1q option. This configuration uses IEEE 802.1Q tagging to preserve the VLAN ID and packet headers as they are transported across the ATM network.
To enable service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated, use the dot1q-tunneling option on the service provider router. Then use the dot1q option on the customer routers.
RFC 1483 bridging is supported on AAL5-MUX and AAL5-LLC Subnetwork Access Protocol (SNAP) encapsulated PVCs. RFC-1483 bridged PVCs must terminate on the ATM interface, and the bridged traffic must be forwarded over an Ethernet interface, unless the split-horizon option is used, which allows bridging of traffic across bridged PVCs.
Note
In interface configuration mode, only the dot1q and dot1q-tunnel keyword options are supported.
Examples
The following example shows a PVC being configured for IEEE 802.1Q VLAN bridging using a VLAN ID of 99:
Router# configure terminalRouter(config)# interface ATM6/2Router(config-if)# pvc 2/101Router(config-if-atm-vc)# bridge-domain 99 dot1qRouter(config-if-atm-vc)# endThe following example shows how to enable BPDU translation when a Catalyst 6500 series switch is connected to a device that only understands IEEE BPDUs in an RFC-1483 compliant topology:
Router(config-if-atm-vc)# bridge-domain 100 pvst-tlv 150The ignore-bpdu-pid keyword is not used because the device operates in an RFC-1483 compliant topology for IEEE BPDUs.
The following example shows how to enable BPDU translation when a Catalyst 5500 ATM module is a device that only understands PVST BPDUs in a non-RFC1483 compliant topology. When a Catalyst 6500 series switch is connected to a Catalyst 5500 ATM module, you must enter both keywords:
Router(config-if-atm-vc)# bridge-domain 100 ignore-bpdu-pid pvst-tlv 150To enable BPDU translation for the Layer 2 Protocol Tunneling (L2PT) topologies, use the following command line:
Router(config-if-atm-vc)# bridge-domain 100 dot1qtunnel ignore-bpdu-pid pvst-tlv 150The following example shows a range of PVCs being configured, with the bridge domain number being incremented for each PVC in the range:
Router(config)# interface atm 8/0.100Router(config-subif)# range pvc 102/100 102/199Router(config-if-atm-range)# bridge-domain 102 incrementRelated Commands
bridge-domain (subinterface)
To enable bridging across Gigabit Ethernet subinterfaces, use the bridge-domain command in subinterface configuration mode. To disable bridging, use the no form of this command.
bridge-domain vlan-id {dot1q | dot1q-tunnel} [bpdu {drop | transparent}] [split-horizon]
no bridge-domain vlan-id {dot1q | dot1q-tunnel} [bpdu {drop | transparent}] [split-horizon]
Syntax Description
vlan-id
Specifies the number of the virtual LAN (VLAN) to be used in this bridging configuration. The valid range is from 2 to 4094.
dot1q
Enables IEEE 802.1Q tagging to preserve the class of service (CoS) information from the Ethernet frames across the ATM network. If not specified, the ingress side assumes a CoS value of 0 for QoS purposes.
dot1q-tunnel
Enables IEEE 802.1Q tunneling mode, so that service providers can use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.
bpdu {drop | transparent}
(Optional) Specifies whether or not BPDUs are processed or dropped:
•
•
split-horizon
(Optional) Enables RFC 1483 split horizon mode to globally prevent bridging between PVCs in the same VLAN.
Defaults
Bridging is disabled.
Command Modes
Subinterface configuration
Command History
Usage Guidelines
This command has the following restrictions in Cisco IOS Release 12.2(33)SRA:
•
•
To enable service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated, use the dot1q-tunnel option on the service provider router. Then use the dot1q option on the customer routers.
Examples
The following example shows configuration of IEEE 802.1Q encapsulation for VLANs on Gigabit Ethernet subinterfaces with configuration of multipoint bridging (MPB). The MPB feature requires configuration of 802.1Q encapsulation on the subinterface.
The first subinterface bridges traffic on VLAN 100 and preserves CoS information in the packets by specifying the dot1q keyword.
Router(config)# interface GigabitEthernet 1/0/1.1Router(config-subif)# encapsulation dot1q 10Router(config-subif)# bridge-domain 100 dot1qThe second subinterface shows bridging of traffic on VLAN 200 in tunneling mode using the dot1q-tunnel keyword, which preserves the VLAN IDs of the bridged traffic.Router(config)# interface GigabitEthernet 2/0/2.2Router(config-subif)# encapsulation dot1q 20Router(config-subif)# bridge-domain 200 dot1q-tunnelThe following example shows bridging of traffic from different VLANs on two separate Gigabit Ethernet subinterfaces into the same VLAN. First, the bridging VLAN 100 is created using the vlan command. Then, the Gigabit Ethernet subinterfaces implement IEEE 802.1Q encapsulation on VLAN 10 and VLAN 20 and bridge the traffic from those VLANs onto VLAN 100 using the bridge-domain command:
Router(config)# vlan 100Router(config-vlan)# exit!Router(config)# interface GigabitEthernet 1/0/1.1Router(config-subif)# encapsulation dot1q 10Router(config-subif)# bridge-domain 100 dot1qRouter(config-subif)# exit!Router(config)# interface GigabitEthernet 1/0/2.1Router(config-subif)# encapsulation dot1q 20Router(config-subif)# bridge-domain 100 dot1qRelated Commands
card type (T1-E1)
To configure a T1 or E1 card type, use the card type command in global configuration mode. To deselect the card type on non-SPA platforms, use the no form of this command. The no form of this command is not available on the SPA platforms.
card type {t1 | e1} slot [bay]
no card type {t1 | e1} slot [bay]
Channelized T/E1 Shared Port Adapters
card type {t1 | e1} slot subslot
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Changes made using this command on non-SPA platforms, do not take effect unless the reload command is used or the router is rebooted.
Channelized T1/E1 Shared Port Adapters
There is no card type when the SPA is inserted for first time. The user must configure this command before they can configure individual ports.
The no form of this command is not available on the SPA platforms. To change an existing card type on SPA platforms, perform the following steps:
1.
2.
3.
4.
5.
Examples
The following example configures T1 data transmission on slot 1 of the router:
Router(config)# card type t1 1The following example configures all ports of an 8-Port Channelized T1/E1 SPA, seated in slot 5, subslot 2, in T1 mode:
Router(config)# card type t1 5 2Related Commands
card type (T3-E3)
To configure a T3 or E3 card type, use the card type command in global configuration mode. To deselect the card type, use the no form of this comand. The no form of this command is not supported on the 2-Port and 4-Port Clear Channel T3/E3 SPA on Cisco 12000 series routers.
T3 or E3 Controllers
card type {t3 | e3} slot
no card type {t3 | e3} slot
Clear Channel T3/E3 Shared Port Adapters
card type {t3 | e3} slot subslot
no card type {t3 | e3} slot subslot
Clear Channel T3/E3 Shared Port Adapters on Cisco 12000 Series Routers
card type {t3 | e3} slot subslot
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Usage guidelines vary slightly from platform to platform as follows:
T3 or E3 Controllers
Once a card type is issued, you enter the no card type command and then another card type command to configure a new card type. You must save the configuration to the NVRAM and reboot the router in order for the new configuration to take effect.
When the router comes up, the software comes up with the new card type. Note that the software will reject the configuration associated with the old controller and old interface. You must configure the new controller and serial interface and save it.
Clear Channel T3/E3 Shared Port Adapters
To change all the SPA ports from T3 to E3, or vice versa, you enter the no card type command and then another card type command to configure a new card type.
When the router comes up, the software comes up with the new card type. Note that the software will reject the configuration associated with the old controller and old interface. You must configure the new controller and serial interface and save it.
Clear Channel T3/E3 Shared Port Adapters on Cisco 12000 Series Routers
The no form of this command is not available on the 2-Port and 4-Port Clear Channel T3/E3 SPA on Cisco 12000 series routers. To change an existing card type on Cisco 12000 series routers, perform the following steps:
1.
2.
3.
4.
5.
Examples
The following example shows T3 data transmission configured in slot 1:
Router(config)# card type t3 1The following example configures all ports of 2-Port and 4-Port Clear Channel T3/E3 SPA, seated in slot 5, subslot 2, in T3 mode:
Router(config)# card type t3 5 2Related Commands
class arp-peruser
To create a control class for arp-peruser, use the class arp-peruser command in policy map configuration mode. To remove the arp-peruser class, use the no form of this command.
class arp-peruser
no class arp-peruser
Command Default
A control policy map is not created.
Command Modes
Policy map configuration
Command History
Usage Guidelines
Use this command when creating a per-user policy map.
Examples
The following example shows creating a per-user policy map.
Router(config-pmap)# class arp-peruserRouter(config)# policy-map copp-peruserRouter(config-pmap)# class arp-peruserRouter(config-pmap-c)# police rate 5 pps burst 50 packetsRouter(config-pmap-c)# class dhcp-peruserRouter(config-pmap-c)# police rate 10 pps burst 100 packetsRelated Commands
policy-map copp-peruser
Creates a policy map that defines a CoPP per-user policy.
class-map arp-peruser
Creates a class map to be used for matching ARP per-user packets.
class-map arp-peruser
To create a class map to be used for matching Address Resolution Protocol (ARP) per-user packets, use the class-map arp-peruser command in global configuration mode. To disable, use the no form of the command.
class-map arp-peruser
no class map arp-peruser
Syntax Description
Command Default
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create an ARP class map when configuring CoPP.
Examples
The following example shows creating an ARP class-map:
Router(config)#class-map arp-peruserRouter(config-cmap)#match protocol arpRouter(config-cmap)#match subscriber accessRelated Commands
match protocol arp
Matches ARP traffic to a policy map.
match subscriber access
Matches subscriber access traffic to a policy map.
clear crypto engine accelerator counter
To reset the statistical and error counters of the router hardware accelerator or the IPSec VPN SPA to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.
clear crypto engine accelerator counter
IPSec VPN SPA
clear crypto engine accelerator counter [slot slot/subslot | all] [detail]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
No specific usage guidelines apply to the hardware accelerators.
IPSec VPN SPA
Enter the slot keyword to reset platform statistics for the corresponding IPSec VPN SPA to zero. This reset will not include network interface controller statistics.
Enter the all keyword to reset platform statistics for all IPSec VPN SPAs on the router to zero. This reset will not include network interface controller statistics.
Enter the detail keyword to reset platform statistics for the IPSec VPN SPA and network interface controller statistics to zero.
Examples
The following example shows the statistical and error counters of the router hardware accelerator being cleared to zero:
Router#clear crypto engine accelerator counterThe following example shows the platform statistics for the IPSec VPN SPA in slot 2, subslot 1 being cleared to zero:
Router# clear crypto engine accelerator counter slot 2/1The following example shows the platform statistics for all IPSec VPN SPAs on the router being cleared to zero:
Router# clear crypto engine accelerator counter allRelated Commands
crypto connect vlan
To create an interface VLAN for an IPSec VPN SPA and enter crypto-connect mode, use the crypto connect vlan command in interface configuration mode. To remove the interface VLAN status from the VLAN, use the no form of this command.
crypto connect vlan vlan-id
no crypto connect [vlan vlan-id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
12.2(18)SXE2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
You can enter the crypto connect vlan command only from the following:
•
•
The crypto engine subslot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.
When you enter the crypto connect vlan command, a target VLAN is made an interface VLAN if and only if the target VLAN is not currently an interface VLAN, and the target VLAN has been added to an inside trunk port using the crypto engine subslot command. If the VLAN has been added to more than one inside trunk port, the crypto connect vlan command is rejected.
The no crypto engine subslot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.
When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine subslot configuration state exists, then that crypto engine subslot configuration state is not removed. If you remove a VLAN that has a crypto engine subslot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.
When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine subslot configuration state is not altered.
Examples
The following example adds port 2/1 to the outside access port VLAN and connects the outside access port VLAN to the inside interface VLAN:
Router(config)# interface Vlan101Router(config-if)# ip address 192.168.101.1 255.255.255.0Router(config-if)# crypto map cmapRouter(config-if)# crypto engine subslot 3/0Router(config-if)# interface GigabitEthernet2/1Router(config-if)# crypto connect vlan 101Related Commands
crypto engine gre supervisor
To configure a router to process Generic Routing Encapsulation (GRE) using the Supervisor Engine hardware or the Route Processor (RP), use the crypto engine gre supervisor command in global or interface configuration mode. When this command is specified, GRE processing by the Supervisor Engine hardware takes precedence over processing by the RP; the RP only takes over GRE processing if the Supervisor Engine hardware cannot do the processing.
To disable GRE processing by the Supervisor Engine hardware or RP, use the no form of this command. When the no form of the command is used, GRE processing will be reevaluated based on the rules described in the Usage Guidelines that follow.
crypto engine gre supervisor
no crypto engine gre supervisor
Command Default
When neither the crypto engine gre supervisor command, nor the crypto engine gre vpnblade command is specified globally or individually for a tunnel, GRE processing will be performed based on the following IPSec VPN SPA GRE takeover criteria:
•
–
–
–
•
–
–
–
–
–
–
–
–
Command Modes
Global or Interface configuration
Command History
Usage Guidelines
The crypto engine gre supervisor command can be configured globally or at an individual tunnel.
Individual configuration takes precedence over the global configuration. For example, when the crypto engine gre supervisor command is configured at the global configuration level, the command will apply to all tunnels except those tunnels which have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command.
The crypto engine gre supervisor command is related to the crypto engine gre vpnblade command. The crypto engine gre vpnblade command configures a router to process GRE using the service blade.
At any time only one of the two commands (crypto engine gre supervisor or crypto engine gre vpnblade) can be configured globally or individually at a tunnel. If either command is already configured, configuring the second command will overwrite the first command, and only the configuration applied by the second command will be used.
When the crypto engine gre supervisor command is specified, GRE processing by the Supervisor Engine hardware takes precedence over processing by the RP unless the tunnels are from duplicate sources. If this command is configured, duplicate source GREs will be processed by the RP.
When neither a global, nor an individual GRE takeover configuration is specified for a tunnel, the GRE processing will be performed based on the criteria specified in Defaults. In this way, backward compatibility is supported.
When a new configuration file is copied to the running configuration, the new configuration will overwrite the old configuration for the crypto engine gre supervisor and crypto engine gre vpnblade commands. If the new configuration does not specify a GRE takeover criteria globally or for an individual tunnel, the existing old configuration will be used.
Examples
The following example shows that the GRE takeover criteria has been set globally and the Supervisor Engine hardware or RP always does the GRE processing:
Router(config)# crypto engine gre supervisorThe following example shows that the GRE takeover criteria has been set individually for tunnel interface 3 and the Supervisor Engine hardware or RP always does the GRE processing:
Router(config)# interface tunnel 3Router(config-if)# crypto engine gre supervisorRelated Commands
crypto engine gre vpnblade
Configures a router to process Generic Routing Encapsulation (GRE) using the service blade.
crypto engine gre vpnblade
To configure a router to process Generic Routing Encapsulation (GRE) using the service blade, use the crypto engine gre vpnblade command in global or interface configuration mode.
If the service blade can't take over the GRE processing, the GRE processing will be handled either by Supervisor Engine hardware (which has precedence) or the Route Processor (RP).
To disable GRE processing by the service blade, use the no form of this command. When the no form of the command is used, GRE processing will be reevaluated based on the rules described in the Usage Guidelines.
crypto engine gre vpnblade
no crypto engine gre vpnblade
Command Default
When neither the crypto engine gre vpnblade command, nor the crypto engine gre supervisor command is specified globally or individually for a tunnel, GRE processing will be performed based on the following IPSec VPN SPA GRE takeover criteria:
•
–
–
–
•
–
–
–
–
–
–
–
–
Command Modes
Global configuration or Interface configuration
Command History
Usage Guidelines
The crypto engine gre vpnblade command can be configured globally or at an individual tunnel.
Individual configuration takes precedence over the global configuration. For example, when the crypto engine gre vpnblade command is configured at the global configuration level, the command will apply to all tunnels except those tunnels which have been configured individually using either a crypto engine gre vpnblade command or a crypto engine gre supervisor command.
The crypto engine gre vpnblade command is related to the crypto engine gre supervisor command. The crypto engine gre supervisor command configures a router to process GRE using the Supervisor Engine hardware or the RP.
At any time only one of the two commands (crypto engine gre vpnblade or crypto engine gre supervisor) can be configured globally or individually for a tunnel. If either command is already configured for a tunnel, configuring the second command will overwrite the first command, and only the configuration applied by the second command will be used.
If neither a global, nor an individual GRE takeover configuration is specified for a tunnel, the GRE processing will be performed based on the criteria specified in Defaults. In this way, backward compatibility is supported.
For a GRE tunnel to be taken over by the service blade, it must first satisfy the following criteria:
•
•
•
•
•
–
–
–
All other options configured are ignored.
•
GRE processing cannot be performed by the service blade if any of the following options is configured on the tunnel interface:
•
•
•
•
•
•
•
•
•
If the service blade cannot take over the GRE processing, the GRE processing will be handled either by the Supervisor Engine hardware (which has precedence) or the RP.
When a new configuration file is copied to the running configuration, the new configuration will overwrite the old configuration for the crypto engine gre vpnblade and crypto engine gre supervisor commands. If the new configuration does not specify a GRE takeover criteria globally or for an individual tunnel, the existing old configuration will be used.
Examples
The following example shows that the GRE takeover criteria has been set globally and the IPSec VPN SPA always does the GRE processing:
Router(config)# crypto engine gre vpnbladeThe following example shows that the GRE takeover criteria has been set individually for tunnel interface 3 and the IPSec VPN SPA always does the GRE processing:
Router(config)# interface tunnel 3Router(config-if)# crypto engine gre vpnbladeRelated Commands
crypto engine gre supervisor
Configures a router to process Generic Routing Encapsulation (GRE) using the Supervisor Engine hardware or the Route Processor (RP).
crypto engine mode vrf
To enable VRF-aware mode for the IPSec VPN SPA, use the crypto engine mode vrf command in interface configuration mode. The VRF-aware IPSec feature introduces IPSec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs. Using the VRF-aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.. To disable VRF-aware mode, use the no form of this command.
crypto engine mode vrf
no crypto engine mode vrf
Defaults
No default behavior or values.
Command Modes
Interface configuration mode.
Command History
Usage Guidelines
Follow these guidelines and restrictions when configuring IPSec VPN SPAs using the crypto engine mode vrf command:
Unlike other IPSec VPN SPA feature configuration, when configuring VRF-Aware features. you od not use the crypto connect vlan command.
Examples
The following example shows a VRF-Aware IPSec implementation:
ip vrf pepsird 1000:1route-target export 1000:1route-target import 1000:1!ip vrf cokerd 2000:1route-target export 2000:1route-target import 2000:1crypto engine mode vrfinterface vlan 100ip vrf forwarding pepsiip address 10.2.1.1 255.255.255.0crypto engine subslot 3/0crypto map map100interface vlan 200ip vrf forwarding cokeip address 10.2.1.1 255.255.255.0crypto engine subslot 3/0crypto map map200interface gi1/1 (hidden VLAN 1000)ip address 171.1.1.1crypto engine subslot 3/0! BASIC MPLS CONFIGURATIONmpls label protocol ldptag-switching tdp router-id Loopback0mls ip multicast flow-stat-timer 9no mls flow ipno mls flow ipv6!! CONFIGURE THE INTERFACE CONNECTED TO THE MPLS BACKBONE WITH LABEL/TAG SWITCHINGinterface GigabitEthernet2/12ip address 20.1.0.34 255.255.255.252logging event link-statusspeed nonegotiatempls label protocol ldptag-switching ipRelated Commands
crypto engine slot
To assign an interface VLAN that requires encryption to the IPSec VPN SPA, use the crypto engine slot command in interface configuration mode. To remove the interface VLAN, use the no form of this command.
crypto engine slot slot/subslot
no crypto engine slot slot/subslot
Syntax Description
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
Usage Guidelines
With this command, you do not need to explicitly add interface VLANs to the IPSec VPN SPA inside trunk port.
It is strongly recommended that you use the crypto engine slot command instead of manually adding and removing VLANs from the inside trunk port.
When you add an interface VLAN to an inside trunk port and that interface VLAN is not already added to another inside trunk port, the crypto engine slot configuration state on the interface VLAN is combined. If the interface VLAN is already added to another inside trunk port, the command is rejected.
You should not try to add all VLANs at one time (If you attempt this, you can recover by manually removing the VLANs from the inside trunk port.)
The crypto engine slot command is used in conjunction with the crypto connect vlan command.
The crypto engine slot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.
The crypto engine slot command is rejected if you enter it on a crypto-connected interface VLAN whose current crypto engine slot configuration is different from the subslot specified in the crypto engine slot command. To change the crypto engine slot configuration on an interface VLAN, you must ensure that the VLAN is not crypto-connected.
If you change the crypto engine slot configuration on an interface VLAN, any IPSec and IKE SAs that are currently active on that interface VLAN are deleted.
If you enter the no crypto engine slot command and the interface VLAN is crypto-connected, the no crypto engine slot command is rejected. The no crypto engine slot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.
When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine slot configuration state exists, then that crypto engine slot configuration state is not removed. If you remove a VLAN that has a crypto engine slot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.
When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine slot configuration state is not altered.
When you write the configuration or show the configuration, the crypto engine slot configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-crypto engine slot) configuration file, or if VLANs were manually added instead of being added through the crypto engine slot command.
By editing the crypto engine slot commands and inside trunk port VLANs, it is possible to produce an inconsistent configuration file.
Examples
The following example assigns the interface VLAN Vlan101 to the IPSec VPN SPA in slot 3, subslot 0:
Router(config)# interface Vlan101Router(config-if)# ip address 192.168.101.1 255.255.255.0Router(config-if)# crypto map cmapRouter(config-if)# crypto engine slot 3/0Router(config)# interface GigabitEthernet2/1Router(config-if)# crypto connect Vlan101Related Commands
crypto engine subslot
To assign an interface VLAN that requires encryption to the IPSec VPN SPA, use the crypto engine subslot command in interface configuration mode. To remove the interface VLAN, use the no form of this command.
crypto engine subslot slot/subslot
no crypto engine subslot slot/subslot
Syntax Description
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
12.2(18)SXE2
This command was introduced.
12.2(33)SRA
This command is replaced by the crypto engine slot command.
Usage Guidelines
Note
With this command, you do not need to explicitly add interface VLANs to the IPSec VPN SPA inside trunk port.
It is strongly recommended that you use the crypto engine subslot command instead of manually adding and removing VLANs from the inside trunk port.
When you add an interface VLAN to an inside trunk port and that interface VLAN is not already added to another inside trunk port, the crypto engine subslot configuration state on the interface VLAN is combined. If the interface VLAN is already added to another inside trunk port, the command is rejected.
You should not try to add all VLANs at one time (If you attempt this, you can recover by manually removing the VLANs from the inside trunk port.)
The crypto engine subslot command is used in conjunction with the crypto connect vlan command.
The crypto engine subslot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.
The crypto engine subslot command is rejected if you enter it on a crypto-connected interface VLAN whose current crypto engine subslot is different from the subslot specified in the crypto engine subslot command. To change the crypto engine subslot on an interface VLAN, you must ensure that the VLAN is not crypto-connected.
If you change the crypto engine subslot configuration on an interface VLAN, any IPSec and IKE SAs that are currently active on that interface VLAN are deleted.
If you enter the no crypto engine subslot command and the interface VLAN is crypto-connected, the no crypto engine subslot command is rejected. The no crypto engine subslot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.
When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine subslot configuration state exists, then that crypto engine subslot configuration state is not removed. If you remove a VLAN that has a crypto engine subslot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.
When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine subslot configuration state is not altered.
When you write the configuration or show the configuration, the crypto engine subslot configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-crypto engine subslot) configuration file, or if VLANs were manually added instead of being added through the crypto engine subslot command.
By editing the crypto engine subslot commands and inside trunk port VLANs, it is possible to produce an inconsistent configuration file.
Examples
The following example assigns the interface VLAN Vlan101 to the IPSec VPN SPA in slot 3, subslot 0:
Router(config)# interface Vlan101Router(config-if)# ip address 192.168.101.1 255.255.255.0Router(config-if)# crypto map cmapRouter(config-if)# crypto engine subslot 3/0Router(config)# interface GigabitEthernet2/1Router(config-if)# crypto connect Vlan101Related Commands
crypto ipsec ipv4 deny-policy
To configure deny address ranges at the global (IPSec VPN SPA) level, use the crypto ipsec ipv4 deny-policy command in global configuration mode.
crypto ipsec ipv4 deny-policy {jump | clear | drop}
Syntax Description
Defaults
The default behavior is jump.
Command Modes
Global configuration
Command History
12.2(18)SXE2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
Use this command to prevent repeated address ranges from being programmed in the hardware, resulting in more efficient TCAM space utilization.
Specifying a deny address range in an ACL results in "jump" behavior. When a denied address range is hit, it forces the search to "jump" to the beginning of the ACL associated with the next sequence in a crypto map and continue the search.
If you want to pass clear traffic on an address, you must insert a deny address range for each sequence in a crypto map.
Each permit list of addresses inherits all the deny address ranges specified in the ACL. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single ACL.
If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured on the IPSec VPN SPA, all existing IPSec sessions are temporarily removed and restarted, which impacts traffic on your network.
The number of deny entries that can be specified in an ACL are dependent on the keyword specified:
•
•
•
Examples
The following example shows a configuration using the deny-policy clear option. In this example, when a deny address is hit, the search will stop and traffic will be allowed to pass in the clear (unencrypted) state:
Router(config)# crypto ipsec ipv4 deny-policy clearRelated Commands
debug crypto ace b2b
To enable IPSec VPN SPA debugging for a Blade Failure Group, use the debug crypto ace b2b command in privileged EXEC mode.
debug crypto ace b2b
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.2(18)SXE2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Examples
The following example enables IPSec VPN SPA debugging for a Blade Failure Group:
Router# debug crypto ace b2bACE B2B Failover debugging is onRelated Commands
debug hw-module all upgrade
To enable debug messages for field-programmable devices (FPDs), use the debug hw-module all upgrade command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module all upgrade [error | event]
no debug hw-module all upgrade [error | event]
Syntax Description
all
Enable debug messaging for all supported modules in the system.
error
(Optional) Enables display of FPD upgrade error messages.
event
(Optional) Enables display of FPD upgrade event messages.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
12.2(18)SXE
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
The debug hw-module all upgrade command is intended for use by Cisco Systems technical support personnel.
If you attempt to use this command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
For more information about FPD upgrades on SPA interface processors (SIPs) and shared port adapters (SPAs), refer to the Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide.
Examples
The following example enables FPD upgrade debug messages for all supported card types on the Cisco 7600 series router:
Router# debug hw-module all upgradedebug hw-module subslot commands
To enable debug messages for control plane configuration and commands on a shared port adapter (SPA), use the debug hw-module subslot commands command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} commands
no debug hw-module subslot {slot/subslot | all} commands
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example enables control plane debug messages for the SPA located in the top subslot (0) of the SIP that is installed in slot 4 of a router:
Router# debug hw-module subslot 4/0 commandsdebug hw-module subslot errors
To enable debug messages for error handling and race conditions on a shared port adapter (SPA), use the debug hw-module subslot errors command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} errors
no debug hw-module subslot {slot/subslot | all} errors
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example enables error handling debug messages for the SPA located in the top subslot (0) of the SIP that is installed in slot 4 of a router:
Router# debug hw-module subslot 4/0 errorsdebug hw-module subslot events
To enable debug messages for control plane event notifications on a shared port adapter (SPA), use the debug hw-module subslot events command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} events
no debug hw-module subslot {slot/subslot | all} events
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example enables control plane event messages for the SPA located in the top subslot (0) of the SIP that is installed in slot 4 of a router:
Router# debug hw-module subslot 4/0 eventsdebug hw-module subslot interrupts
To enable debug messages for interrupt handling on a shared port adapter (SPA), use the debug hw-module subslot interrupts command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} interrupts
no debug hw-module subslot {slot/subslot | all} interrupts
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example enables interrupt handling debug messages for the SPA located in the top subslot (0) of the SIP that is installed in slot 4 of a router:
Router# debug hw-module subslot 4/0 interruptsdebug hw-module subslot ipcshim
To enable debug messages for IPC shim application processing for all supported modules in the system, use the debug hw-module subslot ipcshim command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot all ipcshim
no debug hw-module subslot all ipcshim
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
12.2(18)SXE
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
The debug hw-module subslot ipcshim command is only supported by certain shared port adapters (SPAs).
Caution
Examples
The following example enables IPC SHIM application debug messages for all supported modules in the router:
Router# debug hw-module subslot all ipcshimdebug hw-module subslot oir
To enable debug messages for online insertion and removal (OIR) processing on a shared port adapter (SPA), use the debug hw-module subslot oir command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} oir {plugin | state-machine}
no debug hw-module subslot {slot/subslot | all} oir {plugin | state-machine}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example shows enabling of OIR plugin debug messages for the SPA located in subslot 1 of the SIP that is installed in slot 4 of the router, and the corresponding messages during a SPA reload:
Router# debug hw-module subslot 4/1 oir pluginWARNING: This command is not intended for production useand should only be used under the supervision ofCisco Systems technical support personnel.SPA subslot 4/1:SPA specific oir handling debugging is onRouter# hw-module subslot 4/1 reloadRouter#Mar 26 01:35:04: cwrp_handle_spa_oir_tsm_event: subslot 4/1 event=9Mar 26 01:35:04: cwrp_handle_spa_oir_tsm_event: subslot 4/1 event=1Router#Mar 26 01:35:09: cwrp_handle_spa_oir_tsm_event: subslot 4/1 event=0Mar 26 01:35:10: cwrp_handle_spa_oir_tsm_event: subslot 4/1 event=2debug hw-module subslot periodic
To enable debug messages for periodic processing on a shared port adapter (SPA), use the debug hw-module subslot periodic command in privileged EXEC configuration mode. To disable debug messages, use the no form of the command.
debug hw-module subslot {slot/subslot | all} periodic
no debug hw-module subslot {slot/subslot | all} periodic
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug hw-module subslot commands are intended for use by Cisco Systems technical support personnel.
If you attempt to use a debug hw-module subslot command without a SPA installed, or with an incompatible SPA installed, the keyword options are not provided.
Caution
Examples
The following example enables periodic processing debug messages for the SPA located in the top subslot (0) of the SIP that is installed in slot 4 of a router:
Router# debug hw-module subslot 4/0 periodicframing (T1/E1 controller)
To select the frame type for the T1 or E1 data line, use the framing command in controller configuration mode. To return to the default, use the no form of the command.
T1 Lines
framing {sf | esf}
E1 Lines
framing {crc4 | no-crc4} [australia]
T1 Shared Port Adapter
framing {sf | esf}
no framing {sf | esf}
E1 Shared Port Adapter
framing {crc4 | no-crc4 | unframed}
no framing {crc4 | no-crc4 | unframed}
Syntax Description
Defaults
sf on a T1 line
crc4 on an E1 line
Command Modes
Controller configuration
Command History
Usage Guidelines
Use this command in configurations in which the router or access server is intended to communicate with T1 or E1 fractional data lines. The service provider determines the framing type required for your T1/E1 circuit.
To return to the default mode on a T1/E1 SPA, use the no form of this command. This command does not have a no form for other T1/E1 lines.
Examples
The following example selects extended super frame as the T1 frame type:
Router(config-controller)# framing esfRelated Commands
cablelength
Specifies the distance of the cable from the routers to the network equipment.
linecode
Selects the linecode type for T1 or E1 line.
framing (T3 controller)
To choose framing mode on a T3 port, use the framing command in controller configuration mode. To return to the default mode, use the no form of this command.
T3 Controllers
framing {c-bit | m23}
no framing
Channelized T3 Shared Port Adapters and the Cisco 7500 Series Routers with CT3IP Port Adapter
framing {c-bit | m23 | auto-detect}
no framing
Syntax Description
Defaults
c-bit (for the 2-Port and 4-Port Channelized T3 SPA and most T3 controllers)
auto-detect (for the CT3IP in a Cisco 7500 series router)
Command Modes
Controller configuration
Command History
Usage Guidelines
You can set the framing for each T1 channel by using the t1 framing controller configuration command.
Cisco 7500 Series Routers with CT3IP Port Adapter
Because the CT3IP supports the Application Identification Channel (AIC) signal, the setting for the framing might be overridden by the CT3IP firmware.
Examples
The following example sets the framing mode on a T3 interface.
Router# configure terminalRouter(config)# controller t1 6/0/0Router(config-controller)# framing m23The following example sets the framing for the CT3IP to C-bit:
Router(config)# controller t3 9/0/0Router(config-controller)# framing c-bitRelated Commands
framing (T3-E3 interface)
To choose framing mode on a T3 or E3 port, use the framing command in interface configuration mode. To return to the default mode, use the no form of this command.
PA-T3 and T3 Shared Port Adapters
framing {bypass | c-bit | m13}
no framing {bypass | c-bit | m13}
PA-E3 and E3 Shared Port Adapters
framing {bypass | g751 | g832}
no framing {bypass | g751 | g832}
Syntax Description
Defaults
T3: C-bit framing
E3: g751 framing
Command Modes
Interface configuration
Command History
Usage Guidelines
The default framing is described in the ITU-T Recommendation G.751.
Note
When the framing mode is bypass, the T3 frame data is not included in the T3 frame, just the data.
When the framing mode is bypass, the E3 frame data is not included in the E3 frame, just the data.
If you use the bypass keyword, scrambling must be set to the default (disabled), the DSU mode must be set to the default (0), and the DSU bandwidth must be set to the default (44736).
The g832 keyword is not supported on Cisco 7304 routers with the 2-Port and 4-Port Clear Channel T3/E3 SPA.
Examples
The following example sets the framing mode to bypass on interface 1/0/0:
Router(config)# interface serial 1/0/0Router(config-if)# framing bypassRelated Commands
hw-module slot subslot only
To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400 card.
Note
hw-module slot slot subslot subslot only
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration mode
Command History
12.2(18)SXF2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
Follow these guidelines and restrictions when configuring Cisco 7600 SSC-400 cards and IPSec VPN SPAs using the hw-module slot subslot only command:
•
•
Module n will be reset? Confirm [n]:
The prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.
•
Examples
The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400 card.
Router(config)# hw-module slot 4 subslot 1 onlyModule 4 will be reset? Confirm [no]: yNote that the prompt will default to "N' (no). You must type "Y" (yes) to activate the reset action.
Related Commands
ip multicast-routing
Enables IP multicast routing.
ip pim
Enables Protocol Independent Multicast (PIM) on an interface.
hw-module subslot reload
To restart a shared port adapter (SPA) and its interfaces, use the hw-module subslot reload command in privileged EXEC configuration mode. The command does not have a no form.
hw-module subslot slot/subslot reload
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The hw-module subslot reload command stops and starts power to the SPA. This command is useful when you want to restart all interfaces on a SPA.
The command is recommended to restart a SPA under some of the following conditions:
•
•
Examples
The following command power cycles the SPA in subslot 2 of the SIP installed in chassis slot 13:
Router# hw-module subslot 13/2 reloadRouter#
Note
Related Commands
hw-module subslot shutdown
To disable a shared port adapter (SPA) with or without power, and save the configuration to the configuration file, use the hw-module subslot shutdown command in global configuration mode. To reenable the SPA, use the no form of this command.
hw-module subslot slot/subslot shutdown [powered | unpowered]
no hw-module subslot slot/subslot shutdown [powered | unpowered]
Syntax Description
Defaults
If this command is not used, no hw-module subslot shutdown is the default behavior. When no hw-module subslot is configured, the SPA will be powered for normal operation.
If the hw-module subslot shutdown command is entered but neither powered or unpowered are specified in the CLI, powered is the default behavior.
Command Modes
Global configuration
Command History
Usage Guidelines
When you shut down a SPA using this command, you can choose to put it into one of two states:
•
•
This command is useful when a user wants all the interfaces on a SPA disabled but does not or cannot remove the SPA. Unlike the hw-module subslot stop EXEC command on the Cisco 7304 router, this command is saved in the configuration file and will keep the SPA disabled when other router events (such as a router reload or OIR) attempt to restart the SPA. All other settings and configurations of the SPA will be maintained even if the SPA itself is shutdown using this command.
As a general rule, you do not need to shut down a SPA if you are removing it and replacing it with the same exact model of SPA in an online insertion and removal (OIR) operation. However, you should shut down a SPA whenever you are replacing a SPA with a different model of SPA.
When you shut down a SPA using the hw-module subslot shutdown command, it remains shut down even if you reset the router or install a new SPA in that subslot. To begin using the card again, you must manually reenable the card using the no hw-module subslot shutdown command.
Note
Examples
The following example shows how to disable the SPA in subslot 4/1 while leaving the SPA in the router chassis. This command will be saved to the configuration file and no actions, outside of changing this configuration, will reenable the SPA:
Router(config)# hw-module subslot 4/1 shutdown unpoweredThe following example shows how to configure the SPA to resume normal operation after the unpowered option has been used to disable the SPA:
Router(config)# hw-module subslot 4/1 shutdown poweredNo messages are provided on the console when you shut down or reenable a SPA.
Related Commands
show hw-module subslot oir
Displays the operational status of a SPA.
hw-module slot1
Deactivates or reactivates a carrier card that is installed in a router slot. This command is entered in EXEC mode and is not saved to the configuration file.
1 Refer to the Cisco 7300 Series Platform-Specific Commands publication.
interface
To configure an interface type and to enter interface configuration mode, use the interface command in the appropriate configuration mode.
Standard Syntax
interface type number [name-tag]
Module-Specific and Platform-Specific Syntax
Analysis Module Network Module
interface analysis-module slot/unit
Content Engine Network Module
interface content-engine slot/unit
Cisco 830 Series
interface type [number]
Cisco 2600 Series
interface type slot/{port-adapter | port.subinterface-number}
Cisco 2600 Series on Voice Interfaces
interface type slot/voice-module-slot/voice-interface-slot
Cisco 3600 Series
interface type slot/{port | port.subinterface-number}
Cisco 3600 Series on Voice Interfaces
interface type slot/voice-module-slot/voice-interface-slot
Cisco 7100 Series
interface type slot/{port-adapter | port.subinterface-number}
Cisco 7200 Series and Cisco 7500 Series with a Packet over SONET Interface Processor
interface type slot/port
Cisco 7200 VXR Router Used as a Router Shelf in a Cisco AS5800 Universal Access Server
interface type router-shelf/slot/port
Cisco 7500 Series with Channelized T1 or E1
interface serial slot/port:channel-group
Cisco 7500 Series with Ports on VIP Cards
interface type slot/port-adapter/port
Subinterface Syntax Forms in Global Configuration Mode
Cisco 7200 Series
interface type slot/port.subinterface-number [multipoint | point-to-point]
Cisco 7500 Series
interface type slot/port-adapter.subinterface-number [multipoint | point-to-point]
Cisco 7500 Series with Ports on VIP Cards
interface type slot/port-adapter/port.subinterface-number [multipoint | point-to-point]
Cisco 12000 Series
interface type slot/{port-adapter | port.subinterface-number}
Shared Port Adapters
interface type slot/subslot/port[.subinterface-number]
Syntax Description
type
Type of interface to be configured. See Table 40-1.
number
Port, connector, or interface card number. On Cisco 830 series routers, the number argument specifies the ethernet interface number. On Cisco 4700 series routers, the number argument specifies the network interface module (NIM) or network processor module (NPM) number. The numbers are assigned at the factory at the time of installation or when added to a system; they can be displayed with the show interfaces command.
name-tag
(Optional) Specifies the logic name to identify the server configuration so that multiple server configurations can be entered.
This optional argument is for use with the Redundant Link Manager (RLM) feature.
slot
Chassis slot number.
Refer to the appropriate hardware manual for slot information. For SIPs, refer to the platform-specific SPA hardware installation guide or the corresponding "Identifying Slots and Subslots for SIPs and SPAs" topic in the platform-specific SPA software configuration guide.
/voice-module-slot
Voice module slot number. The slash (/) is required.
Refer to the "Cisco 3700 Series Routers Voice Interface Numbering" section of the "Understanding Interface Numbering and Cisco IOS Basics" chapter in the platform-specific SPA software configuration guide.
/voice-interface-slot
Voice interface slot number. The slash (/) is required.
Refer to the "Cisco 3700 Series Routers Voice Interface Numbering" section of the "Understanding Interface Numbering and Cisco IOS Basics" chapter in the platform-specific SPA software configuration guide.
/subslot
Secondary slot number on a SIP where a SPA is installed. The slash (/) is required.
Refer to the platform-specific SPA hardware installation guide and the corresponding "Specifying the Interface Address on a SPA" topic in the platform-specific SPA software configuration guide for subslot information.
/unit
Number of the daughter card on the network module. For analysis module and content engine (CE) network modules, always use 0. / is required.
/port
Port or interface number.The slash (/) is required.
Refer to the appropriate hardware manual for port information. For SPAs, refer to the corresponding "Specifying the Interface Address on a SPA" topics in the platform-specific SPA software configuration guide.
router-shelf
Router shelf number in a Cisco AS5800 universal access server. Refer to the appropriate hardware manual for router shelf information.
:channel-group
Channel group number. Cisco 7500 series routers specify the channel group number in the range of 0 to 4 defined with the channel-group controller configuration command.
/port-adapter
Port adapter number. Refer to the appropriate hardware manual for information about port adapter compatibility. The slash (/) is required.
.subinterface-number
Subinterface number in the range 1 to 4294967293. The number that precedes the period (.) must match the number to which this subinterface belongs.
multipoint | point-to-point
(Optional) Specifies a multipoint or point-to-point subinterface. There is no default.
Command Default
No interface types are configured.
Command Modes
Global configuration
RITE configuration
Note
Command History
Usage Guidelines
This command does not have a no form.
Table 40-1 displays the keywords that represent the types of interfaces that can be configured with the interface command. Replace the type argument with the appropriate keyword from the table.
Creating an IP Traffic Export Profile
Ip traffic export is intended only for software switching platforms; distributed architectures are not supported.
After you configure an IP traffic export profile using the ip traffic-export profile global configuration command, you must also include the interface command after the ip traffic-export profile command; otherwise, the profile will be unable to export the captured IP packets. If you do not use the interface command, you will receive a warning that indicates that the profile is incomplete.
Subinterfaces
Subinterfaces can be configured to support partially meshed Frame Relay networks. Refer to the "Configuring Serial Interfaces" chapter in the Cisco IOS Interface and Hardware Component Configuration Guide.
Using the analysis-module Keyword
The analysis module interface is used to access the NAM console for the initial configuration. After the NAM IP parameters are configured, the analysis module interface is typically used only during NAM software upgrades and while troubleshooting if the NAM Traffic Analyzer is inaccessible.
Visible only to the Cisco IOS software on the router, the analysis module interface is an internal Fast Ethernet interface on the router that connects to the internal NAM interface. The analysis module interface is connected to the router's Peripheral Component Interconnect (PCI) backplane, and all configuration and management of the analysis module interface must be performed from the Cisco IOS CLI.
Using the group-async Keyword
Using the group-async keyword, you create a single asynchronous interface with which other interfaces are associated as members using the group-range command. This one-to-many configuration allows you to configure all associated member interfaces by entering one command on the group master interface, rather than entering this command on each individual interface. You can create multiple group masters on a device; however, each member interface can be associated only with one group.
Using the port-channel Keyword
The Fast EtherChannel feature allows multiple Fast Ethernet point-to-point links to be bundled into one logical link to provide bidirectional bandwidth of up to 800 Mbps. You can configure the port-channel interface as you would any Fast Ethernet interface.
After you create a port-channel interface, you assign upto four Fast Ethernet interfaces to it. For information on how to assign a Fast Ethernet interface to a port-channel interface, refer to the channel-group command in the interface configuration mode.
Caution
Fast Ethernet interfaces. Do not assign bridge groups on the physical Fast Ethernet interfaces
because doing so creates loops. Also, you must disable spanning tree.
Caution
ip route-cache distributed commands from the Fast Ethernet interfaces before enabling dCEF on
the port-channel interface. Clearing the route cache gives the port-channel interface proper control
of its physical Fast Ethernet links. When you enable CEF/dCEF globally, all interfaces that support CEF/dCEF are enabled. When CEF/dCEF is enabled on the port-channel interface, it is automatically enabled on each of the Fast Ethernet interfaces in the channel group. However, if you have
previously disabled CEF/dCEF on the Fast Ethernet interface, CEF/dCEF is not automatically
enabled. In this case, you must enable CEF/dCEF on the Fast Ethernet interface.
As you work with the port-channel keyword, consider the following points:
•
•
Using the vg-anylan Keyword
The 100VG-AnyLAN port adapter provides a single interface port that is compatible with and specified by IEEE 802.12. The 100VG-AnyLAN port adapter provides 100 Mbps over Category 3 or Category 5 cable with RJ-45 terminators and supports IEEE 802.3 Ethernet packets.
You configure the 100VG-AnyLAN port adapter as you would any Ethernet or Fast Ethernet interface. The 100VG-AnyLAN port adapter can be monitored with the IEEE 802.12 Interface MIB.
Examples
Analysis Module Interface with NAM Router: Example
The following example configures an analysis module interface when the NAM router is in router slot 1:
Router(config)# interface analysis-module 1/0Asynchronous Group Master Interface: Example
The following example shows how to define asynchronous group master interface 0:
Router(config)# interface group-async 0Content Engine Network Module Interface: Example
The following example configures an interface for a content engine network module in slot 1:
Router(config)# interface content-engine 1/0Ethernet Interface on Cisco 830 Router: Example
The following example configures a new ethernet2 interface on the LAN or on the WAN side of the Cisco 830 series router.
c837# configure terminalEnter configuration commands, one per line. End with CNTL/Z.c837(config)# interface ethernet 2Ethernet Port on Ethernet Interface Processor on Cisco 7500 Series Router Example
The following example shows how to configure Ethernet port 4 on the Ethernet Interface Processor (EIP) in slot 2 on the Cisco 7500 series router:
Router(config)# interface ethernet 2/4Exporting IP Traffic (RITE) Example
The following example shows how to configure the profile "corp1," which will send captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control list "ham_ACL."
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1Fast Ethernet Interface on Cisco 2600 Router Example
The following example shows how to configure Fast Ethernet interface 0 on a Cisco 2600 series router:
Router(config)# interface fastethernet0/0orRouter(config)# interface fastethernet0/0.1Fast Ethernet Interface on Cisco 3600 Router Example
The following example shows how to configure Fast Ethernet interface 0 on a Cisco 3600 series router:
Router(config)# interface fastethernet0/0or
Router(config)# interface fastethernet0/0.1Fast Ethernet Interface with ARPA Encapsulation on Cisco 4700 Router Example
The following example shows how to configure Fast Ethernet interface 0 for standard ARPA encapsulation (the default setting) on a Cisco 4700 series router:
Router(config)# interface fastethernet 0Fast Ethernet Interface on Cisco 7100 Router Example
The following example shows how to configure Fast Ethernet interface 0 on a Cisco 7100 series router:
Router(config)# interface fastethernet0/0or
Router(config)# interface fastethernet0/0.1Fast Ethernet Interface on Cisco 12000 Router Example
The following example shows how to configure Fast Ethernet interface 6 on a Cisco 12000 series router:
Router(config)# interface fastethernet6/0or
Router(config)# interface fastethernet6/0.1Gigabit Ethernet Interface Example
The following example shows how to configure the Gigabit Ethernet interface for slot 0, port 0:
Router(config)# interface gigabitethernet 0/0Loopback Interface Example
The following example shows how to enable loopback mode and assign an IP network address and network mask to the interface. The loopback interface established here will always appear to be up.
Router(config)# interface loopback 0Router(config-if)# ip address 10.108.1.1 255.255.255.0Packet over SONET Interface Example
The following example shows how to specify the single Packet OC-3 interface on port 0 of the POS OC-3 port adapter in slot 2:
Router(config)# interface pos 2/0Partially Meshed Frame Relay Network Example
The following example shows how to configure a partially meshed Frame Relay network. In this example, subinterface serial 0.1 is configured as a multipoint subinterface with two associated Frame Relay permanent virtual connections (PVCs), and subinterface serial 0.2 is configured as a point-to-point subinterface.
Router(config)# interface serial 0Router(config-if)# encapsulation frame-relayRouter(config-if)# exitRouter(config)# interface serial 0/0.1 multipointRouter(config-if)# ip address 10.108.10.1 255.255.255.0Router(config-if)# frame-relay interface-dlci 42 broadcastRouter(config-if)# frame-relay interface-dlci 53 broadcastRouter(config-if)# exitRouter(config)# interface serial 0/0.2 point-to-pointRouter(config-if)# ip address 10.108.11.1 255.255.255.0Router(config-if)# frame-relay interface-dlci 59 broadcastPort Channel Interface Example
The following example shows how to create a port-channel interface with a channel group number of 1 and add two Fast Ethernet interfaces to port-channel 1:
Router(config)# interface port-channel 1Router(config-if)# ip address 10.1.1.10 255.255.255.0Router(config-if)# exitRouter(config)# interface fastethernet 1/0/0Router(config-if)# channel-group 1Router(config-if)# exitRouter(config)# interface fastethernet 4/0/0Router(config-if)# channel-group 1SDCC Interface on a POS Shared Port Adapter Example
The following example configures the first interface (port 0) as a section data communications channel (SDCC) interface on a POS SPA, where the SPA is installed in the top subslot (0) of the MSC, and the MSC is installed in slot 4 of the Cisco 7304 router:
Router(config)# interface sdcc 4/3/0Router(config-if)# ip address 10.1.9.2 255.255.255.0Router(config-if)# logging event link-statusRouter(config-if)# load-interval 30Router(config-if)# no keepaliveRouter(config-if)# no fair-queueRouter(config-if)# no cdp enableSerial Interface with PPP Encapsulation Example
The following example shows how to configure serial interface 0 with PPP encapsulation:
Router(config)# interface serial 0Router(config-if)# encapsulation pppShared Port Adapter Interface Example
The following example configures the second interface (port 1) on a 4-Port 10/100 Fast Ethernet SPA for standard ARPA encapsulation (the default setting), where the SPA is installed in the bottom subslot (1) of the MSC, and the MSC is installed in slot 2 of the Cisco 7304 router:
Router(config)# interface fastethernet 2/1/1
T1 Serial Interface Example
The following example shows how to configure circuit 0 of a T1 link for PPP encapsulation:
Router(config)# controller t1 4/1Router(config-controller)# circuit 0 1Router(config-controller)# exitRouter(config)# interface serial 4/1:0Router(config-if)# ip address 10.108.13.1 255.255.255.0Router(config-if)# encapsulation pppToken Ring Interface Processor Example
The following example shows how to configure the Token Ring interface processor in slot 1 on port 0 of a Cisco 7500 series router:
Router(config)# interface tokenring 1/0100VG-AnyLAN Interface Example
The following example shows how to specify the 100VG-AnyLAN port adapter in the first port adapter in slot 1:
Router(config)# interface vg-anylan 1/0/0Related CommandsT
linecard-group feature card
To identify the group ID for a Blade Failure Group, use the linecard-group feature card command in redundancy configuration mode.
linecard-group group-id feature card
Syntax Description
Defaults
No default behavior or values.
Command Modes
Redundancy configuration
Command History
12.2(18)SXE2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
To complete the configuration of a Blade Failure Group, you must add the two IPSec VPN SPAs to the group using the subslot command.
Examples
The following example configures a Blade Failure Group that has a group ID of 1 and consists of two IPSec VPN SPAs—one IPSec VPN SPA is in slot 5, subslot 1 and one IPSec VPN SPA is in slot 6, subslot 1:
Router(config)# redundancyRouter(config-red)# linecard-group 1 feature cardRouter(config-r-lc)# subslot 5/1Router(config-r-lc)# subslot 6/1Related Commands
logging-events (T1-E1 controller)
To show the controller state change and alarms on a controller, use the logging-events command in controller configuration mode. To turn off controller state change reporting, use the no form of the command.
logging-events detail
no logging-events
Syntax Description
Defaults
Logging-events is the default.
Command Modes
Controller configuration
Command History
Usage Guidelines
Use the logging-events command to show the state change and alarms on a controller on an 8-Port Channelized T1/E1 SPA.
Examples
The following shows enabling the logging-events command.
Router(config)#contr e1 2/1/0Router(config-controller)# logging-eventsRelated Commands
controller
Configures a T1, E1, or T3 controller and enters controller configuration mode.
show controller
Displays controller configuration.
loopback (T3-E3 interface)
To loopback at various points in the transmit and receive path, use the loopback command in interface configuration mode. To stop the loopback, use the no form of this command.
PA-T3 Port Adapter
loopback {dte | local | network {line | payload} | remote}
no loopback
PA-E3 Port Adapter
loopback {dte | local | network {line | payload}}
no loopback
T3/E3 Shared Port Adapters
loopback {dte | local | dual | network {line | payload} | remote}
no loopback {dte | local | dual | network {line | payload} | remote}
Syntax Description
Defaults
No loopback by default.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the loopback command to diagnose problems on the local port, between the framer and the line interface unit (LIU) level.
To verify that a loopback is configured on the interface, use the show interfaces serial or show interfaces loopback command.
The dual keyword is not supported on Cisco 7304 routers with the 2-Port and 4-Port Channelized T3 SPA.
Examples
The following example configures the serial interface located in slot 3/0/0 for a local loopback:
Router(config)# interface serial 3/0/0Router(config-if)# loopback localThe following example creates a loopback on slot 5, bay 0 after the LIU towards the terminal.
Router# configure terminalRouter(config)# interface serial 5/0/0Router(config-if)# loopback dteRelated Commands
match vlan inner
To configure a class map to match the innermost VLAN ID in an 802.1q tagged frame, use the match vlan inner command in ATM interface configuration mode. To remove matching on the innermost VLAN ID of an 802.1q tagged frame, use the no form of this command.
match vlan inner vlan-ids
no match vlan inner vlan-ids
Syntax Description
Command Default
Packets are not matched on the basis of incoming dot1q VLAN inner IDs.
Command Modes
Class map configuration
Command History
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(18)SXF
This command was implemented on Cisco 7600 series routers.
Examples
The following example creates a class map that matches packets with a VLAN IDs of 100 to 300.
Router(config)# class-map match-all vlan100Router(config-cmap)# match vlan inner 100Router(config-cmap)# exitRouter(config)# class-map match-all vlan200Router(config-cmap)# match vlan inner 200Router(config-cmap)# exitRouter(config)# class-map match-all vlan300Router(config-cmap)# match vlan inner 300Related Commands
mdl
To configure the Maintenance Data Link (MDL) message defined in the ANSI T1.107a-1990 specification, use the mdl command in controller configuration mode. To remove the message, use the no form of this command.
mdl {transmit {path | idle-signal | test-signal} | string {eic | lic | fic | unit | pfi | port | generator} string}
no mdl {transmit {path | idle-signal | test-signal} | string {eic | lic | fic | unit | pfi | port | generator} string}
Syntax Description
Defaults
No MDL message is configured.
Command Modes
Controller configuration
Command History
Usage Guidelines
Use the mdl command to send messages in maintenance data link in T3 c-bit framing mode.
Note
Examples
The following example shows the mdl commands on a T3 controller in slot 1, port 0:
Router(config)# controller t3 1/0Router(config-controller)# clock source lineRouter(config-controller)# mdl string eic IDRouter(config-controller)# mdl string fic Building BRouter(config-controller)# mdl string unit ABCRouter(config-controller)# mdl string pfi Facility ZRouter(config-controller)# mdl string port Port 7Router(config-controller)# mdl transmit pathRouter(config-controller)# mdl transmit idle-signalRelated Commands
police
To configure traffic policing, use the police command in policy-map class configuration mode or policy-map class police configuration mode. To remove traffic policing from the configuration, use the no form of this command.
police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]
no police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]
Syntax Description
Defaults
Disabled
Command Modes
Policy-map class configuration (when specifying a single action to be applied to a marked packet)
Policy-map class police configuration (when specifying multiple actions to be applied to a marked packet)
Command History
Usage Guidelines
Use the police command to mark a packet with different quality of service (QoS) values based on conformance to the service-level agreement.
Traffic policing will not be executed for traffic that passes through an interface.
Specifying Multiple Actions
The police command allows you to specify multiple policing actions. When specifying multiple policing actions when configuring the police command, note the following points:
•
•
Using the Police Command with the Traffic Policing Feature
The police command can be used with the Traffic Policing feature. The Traffic Policing feature works with a token bucket algorithm. Two types of token bucket algorithms are in Cisco IOS Release 12.1(5)T: a single-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.
The token bucket algorithm for the police command that was introduced in Cisco IOS Release 12.0(5)XE is different from the token bucket algorithm for the police command introduced in Cisco IOS Release 12.1(5)T. For information on the token bucket algorithm introduced in Release 12.0(5)XE, refer to the Traffic Policing document for Release 12.0(5)XE. This document is available on the New Features for 12.0(5)XE feature documentation index (under Modular QoS CLI-related feature modules) at www.cisco.com.
The following are explanations of how the token bucket algorithms introduced in Cisco IOS Release 12.1(5)T work.
Token Bucket Algorithm with One Token Bucket
The one token bucket algorithm is used when the violate-action option is not specified in the police command command-line interface (CLI).
The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size).
When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:
•
(time between packets <which is equal to T - T1> * policer rate)/8 bytes
•
•
Token Bucket Algorithm with Two Token Buckets
The two-token bucket algorithm is used when the violate-action option is specified in the police command CLI.
The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size).
The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size).
The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information rate (CIR).
When a packet of given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:
•
The token arrival rate is calculated as follows:
(time between packets <which is equal to T-T1> * policer rate)/8 bytes
•
•
•
Using the set-cos-inner-transmit Action for SIPs and SPAs on the Cisco 7600 Series Router
The set-cos-inner-transmit keyword action was introduced in Cisco IOS Release 12.2(33)SRA to support marking of the inner CoS value as a policing action when using MPB features on the Enhanced FlexWAN module, and when using MPB features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
This command is not supported on the Cisco 7600 SIP-600.
For more information about QoS and the forms of police commands supported by the SIPs on the Cisco 7600 series router, refer to the Cisco 7600 Series SIP, SSC, and SPA Software Configuration Guide.
Examples
Token Bucket Algorithm with One Token Bucket Example
The token bucket algorithm for the police command that was introduced in Cisco IOS Release 12.0(5)XE is different from the token bucket algorithms introduced in Cisco IOS Release 12.1(5)T. The following example is for the token bucket algorithm with one token bucket introduced in Cisco IOS Release 12.1(5)T.
If the violate-action option is not specified when you configure a policy with the police command in Cisco IOS Release 12.1(5)T onward, the token bucket algorithm uses one token bucket. If the violate-action option is specified, the token bucket algorithm uses two token buckets. In the following example, the violate-action option is not specified, so the token bucket algorithm only uses one token bucket.
The following configuration shows users how to define a traffic class (using the class-map command) and associate the match criteria from the traffic class with the traffic policing configuration, which is configured in the service policy (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.
In this particular example, traffic policing is configured with the average rate at 8000 bits per second and the normal burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0:
Router(config)# class-map access-matchRouter(config-cmap)# match access-group 1Router(config-cmap)# exitRouter(config)# policy-map police-settingRouter(config-pmap)# class access-matchRouter(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface fastethernet 0/0Router(config-if)# service-policy output police-settingThe treatment of a series of packets leaving Fast Ethernet interface 0/0 depends on the size of the packet and the number of bytes remaining in the conform bucket. These packets are policed based on the following rules:
•
(time between packets <which is equal to T - T1> * policer rate)/8 bytes
•
•
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the token bucket ((0.25 * 8000)/8), leaving 800 bytes in the token bucket. If the next packet is 900 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are taken from the token bucket.
Token Bucket Algorithm with Two Token Buckets Example
If the violate-action option is specified when you configure a policy with the police command in Cisco IOS Release 12.1(5)T onward, the token bucket algorithm uses two token buckets. The following example uses the token bucket algorithm with two token buckets.
The following configuration shows users how to define a traffic class (using the class-map command) and associate the match criteria from the traffic class with the traffic policing configuration, which is configured in the service policy (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.
In this particular example, traffic policing is configured with the average rate at 8000 bits per second, the normal burst size at 1000 bytes, and the excess burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0.
Router(config)# class-map access-matchRouter(config-cmap)# match access-group 1Router(config-cmap)# exitRouter(config)# policy-map police-settingRouter(config-pmap)# class access-matchRouter(config-pmap-c)# police 8000 1000 1000 conform-action transmit exceed-action set-qos-transmit 1 violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface fastethernet 0/0Router(config-if)# service-policy output police-settingThe treatment of a series of packets leaving Fast Ethernet interface 0/0 depends on the size of the packet and the number of bytes remaining in the conform and exceed token buckets. The series of packets are policed based on the following rules:
•
(time between packets <which is equal to T - T1> * policer rate)/8 bytes
•
•
•
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the conform token bucket
((0.25 * 8000)/8), leaving 800 bytes in the conform token bucket. If the next packet is 900 bytes, the packet does not conform because only 800 bytes are available in the conform token bucket.The exceed token bucket, which starts full at 1000 bytes (as specified by the excess burst size) is then checked for available bytes. Because enough bytes are available in the exceed token bucket, the exceed action (set the QoS transmit value of 1) is taken and 900 bytes are taken from the exceed bucket (leaving 100 bytes in the exceed token bucket.
If the next packet arrives 0.40 seconds later, 400 bytes are added to the token buckets ((.40 * 8000)/8). Therefore, the conform token bucket now has 1000 bytes (the maximum number of tokens available in the conform bucket) and 200 bytes overflow the conform token bucket (because it only 200 bytes were needed to fill the conform token bucket to capacity). These overflow bytes are placed in the exceed token bucket, giving the exceed token bucket 300 bytes.
If the arriving packet is 1000 bytes, the packet conforms because enough bytes are available in the conform token bucket. The conform action (transmit) is taken by the packet, and 1000 bytes are removed from the conform token bucket (leaving 0 bytes).
If the next packet arrives 0.20 seconds later, 200 bytes are added to the token bucket ((.20 * 8000)/8). Therefore, the conform bucket now has 200 bytes. If the arriving packet is 400 bytes, the packet does not conform because only 200 bytes are available in the conform bucket. Similarly, the packet does not exceed because only 300 bytes are available in the exceed bucket. Therefore, the packet violates and the violate action (drop) is taken.
Conforming to the MPLS EXP Value Example
The following example shows that if packets conform to the rate limit, the MPLS EXP field is set to 5. If packets exceed the rate limit, the MPLS EXP field is set to 3.
Router(config)# policy-map input-IP-dscpRouter(config-pmap)# class dscp24Router(config-pmap-c)# police 8000 1500 1000Router(config-pmap-c)# conform-action set-mpls-experimental-imposition-transmit 5Router(config-pmap-c)# exceed-action set-mpls-experimental-imposition-transmit 3Router(config-pmap-c)# violate-action dropSetting the Inner CoS Value as an Action for SIPs and SPAs on the Cisco 7600 Series Router Example
The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 100 into a class named "vlan-inner-100," and establishes a traffic shaping policy for the vlan-inner-100 class. The service policy limits traffic to an average rate of 500 kbps, with a normal burst of 1000 bytes, a maximum burst of 1500 bytes, and sets the inner CoS value to 3. Since setting of the inner CoS value is only supported with bridging features, the configuration also shows the service policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that bridges traffic into VLAN 100 using the bridge-domain command.
Router(config)# class-map match-all vlan-inner-100Router(config-cmap)# match vlan inner 100Router(config-cmap)# exitRouter(config)# policy-map vlan-inner-100Router(config-pmap-c)# police 500000 1000 1500 conform-action set-cos-inner-transmit 3Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm3/0/0Router(config-if)# pvc 100/100Router(config-if-atm-vc)# bridge-domain 100 dot1qRouter(config-if-atm-vc)# service-policy output vlan-inner-100Router(config-if)# endRelated Commands
police (percent)
To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the police command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.
police cir percent percentage [burst-in-msec] [bc conform-burst-in-msec ms] [be peak-burst-in-msec ms] [pir percent percentage] [conform-action action [exceed-action action [violate-action action]]]
no police cir percent percentage [burst-in-msec] [bc conform-burst-in-msec ms] [be peak-burst-in-msec ms] [pir percent percentage] [conform-action action [exceed-action action [violate-action action]]]
Syntax Description
Defaults
The default bc and be is 4 ms.
Command Modes
Policy-map class configuration
Command History
Usage Guidelines
This command calculates the cir and pir on the basis of a percentage of the maximum amount of bandwidth available on the interface. When a policy map is attached to the interface, the equivalent cir and pir values in bits per second (bps) are calculated on the basis of the interface bandwidth and the percent value entered with this command. The show policy-map interface command can then be used to verify the bps rate calculated.
The calculated cir and pir bps rates must be in the range of 8000 and 2000000000 bps. If the rates are outside this range, the associated policy map cannot be attached to the interface. If the interface bandwidth changes (for example, more is added), the bps values of the cir and the pir are recalculated on the basis of the revised amount of bandwidth. If the cir and pir percentages are changed after the policy map is attached to the interface, the bps values of the cir and pir are recalculated.
Conform Burst and Peak Burst Sizes in Milliseconds
This command also allows you to specify the values for the conform burst size and the peak burst size in milliseconds. If you want bandwidth to be calculated as a percentage, the conform burst size and the peak burst size must be specified in milliseconds (ms).
Hierarchical Policy Maps
Policy maps can be configured in two-level (nested) hierarchies; a top (or "parent") level and a secondary (or "child") level. The police (percent) command can be configured for use in either a parent or child policy map.
Notes About Bandwidth and Hierarchical Policy Maps
The police (percent) command uses the maximum rate of bandwidth available as the reference point for calculating the bandwidth percentage. When the police (percent) command is configured in a child policy map, the police (percent) command uses the bandwidth amount specified in the next higher-level policy (in this case, the parent policy map). If the parent policy map does not specify the maximum bandwidth rate available, the police (percent) command uses the maximum bandwidth rate available on the next higher level (in this case, the physical interface, the highest point in the hierarchy) as the reference point. The police (percent) command always looks to the next higher level for the bandwidth reference point. The following sample configuration illustrates this point:
Policymap parent_policyclass parentshape average 512000service-policy child_policyPolicymap child_policyclass normal_typepolice cir percent 30In this sample configuration, there are two hierarchical policies; one called parent_policy and one called child_policy. In the policy map called child_policy, the police command has been configured in the class called normal_type. In this class, the percentage specified by for the police (percent) command is 30 percent. The command will use 512 kbps, the peak rate, as the bandwidth reference point for class parent in the parent_policy. The police (percent) command will use 512 kbps as the basis for calculating the cir rate (512 kbps * 30 percent).
interface serial 4/0service-policy output parent_policyPolicymap parent_policyclass parentbandwidth 512service-policy child_policyIn the above example, there is one policy map called parent_policy. In this policy map, a peak rate has not been specified. The bandwidth command has been used, but this command does not represent the maximum rate of bandwidth available. Therefore, the police (percent) command will look to the next higher level (in this case serial interface 4/0) to get the bandwidth reference point. Assuming the bandwidth of serial interface 4/0 is 1.5 Mbps, the police (percent) command will use 1.5 Mbps as the basis for calculating the cir rate (1500000 * 30 percent).
How Bandwidth Is Calculated
The police (percent) command is often used in conjunction with the bandwidth and priority commands. The bandwidth and priority commands can be used to calculate the total amount of bandwidth available on an entity (for example, a physical interface). When the bandwidth and priority commands calculate the total amount of bandwidth available on an entity, the following guidelines are invoked:
•
•
–
–
For more information on bandwidth allocation, refer to the" Congestion Management Overview " chapter in the Cisco IOS Quality of Service Solutions Configuration Guide.
Using the set-cos-inner-transmit Action for SIPs and SPAs on the Cisco 7600 Series Router
The set-cos-inner-transmit keyword action was introduced in Cisco IOS Release 12.2(33)SRA to support marking of the inner CoS value as a policing action when using MPB features on the Enhanced FlexWAN module, and when using MPB features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
This command is not supported on the Cisco 7600 SIP-600.
For more information about QoS and the forms of police commands supported by the SIPs on the Cisco 7600 series router, refer to the Cisco 7600 Series SIP, SSC, and SPA Software Configuration Guide.
Examples
The following example configures traffic policing using a CIR and a PIR on the basis of a percentage of bandwidth. In this example, a CIR of 20 percent and a PIR of 40 percent have been specified. Additionally, an optional bc value and be value (300 ms and 400 ms, respectively) have been specified.
Router> enableRouter# configure terminalRouter(config)# policy-map policy1Router(config-pmap)# class class1Router(config-pmap-c)# police cir percent 20 bc 300 ms be 400 ms pir percent 40Router(config-pmap-c-police)# exitAfter the policy map and class maps are configured, the policy map is attached to interface as shown in the following example.
Router> enableRouter# configure terminalRouter(config)#interface serial4/0Router(config-if)#service-policy input policy1Router(config-if)# exitSetting the Inner CoS Value as an Action for SIPs and SPAs on the Cisco 7600 Series Router Example
The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 100 into a class named "vlan-inner-100," and establishes a traffic shaping policy for the vlan-inner-100 class. The service policy limits traffic to a CIR of 20 percent and a PIR of 40 percent , with an conform burst (bc) of 300 ms, and peak burst (be) of 400 ms, and sets the inner CoS value to 3. Since setting of the inner CoS value is only supported with bridging features, the configuration also shows the service policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that bridges traffic into VLAN 100 using the bridge-domain command.
Router(config)# class-map match-all vlan-inner-100Router(config-cmap)# match vlan inner 100Router(config-cmap)# exitRouter(config)# policy-map vlan-inner-100Router(config-pmap-c)# police cir percent 20 bc 300 ms be 400 ms pir percent 40 conform-action set-cos-inner-transmit 3Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm3/0/0Router(config-if)# pvc 100/100Router(config-if-atm-vc)# bridge-domain 100 dot1qRouter(config-if-atm-vc)# service-policy output vlan-inner-100Router(config-if)# endRelated Commands
