Configuring PRP

Information About PRP

Parallel Redundancy Protocol (PRP) is defined in the International Standard IEC 62439-3. PRP is designed to provide hitless redundancy (zero recovery time after failures) in Ethernet networks.


Note

PRP is supported on IE9300, IE3400, and IE3400H switches running IOS XE. PRP is not supported on the IE3200 and IE3300 series of switches.

To recover from network failures, redundancy can be provided by network elements connected in mesh or ring topologies using protocols like RSTP, REP, or MRP, where a network failure causes some reconfiguration in the network to allow traffic to flow again (typically by opening a blocked port). These schemes for redundancy can take between a few milliseconds to a few seconds for the network to recover and traffic to flow again.

PRP uses a different scheme, where the end nodes implement redundancy (instead of network elements) by connecting two network interfaces to two independent, disjointed, parallel networks (LAN-A and LAN-B). Each of these Dually Attached Nodes (DANs) then have redundant paths to all other DANs in the network.

The DAN sends two packets simultaneously through its two network interfaces to the destination node. A redundancy control trailer (RCT), which includes a sequence number, is added to each frame to help the destination node distinguish between duplicate packets. When the destination DAN receives the first packet successfully, it removes the RCT and consumes the packet. If the second packet arrives successfully, it is discarded. If a failure occurs in one of the paths, traffic continues to flow over the other path uninterrupted, and zero recovery time is required.

Non-redundant endpoints in the network that attach only to either LAN-A or LAN-B are known as Singly Attached Nodes (SANs).

A Redundancy Box (RedBox) is used when an end node that does not have two network ports and does not implement PRP needs to implement redundancy. Such an end node can connect to a RedBox, which provides connectivity to the two different networks on behalf of the device. Because a node behind a RedBox appears for other nodes like a DAN, it is called a Virtual DAN (VDAN). The RedBox itself is a DAN and acts as a proxy on behalf of its VDANs.

Figure 1. PRP Redundant Network

To manage redundancy and check the presence of other DANs, a DAN periodically sends Supervision frames and can evaluate the Supervision frames sent by other DANs.

Role of the Switch

The IE 3400 switch implements RedBox functionality using Gigabit Ethernet port connections to each of the two LANs.

PRP Channels

PRP channel or channel group is a logical interface that aggregates two Gigabit Ethernet interfaces (access, trunk, or routed) into a single link. In the channel group, the lower numbered Gigabit Ethernet member port is the primary port and connects to LAN-A. The higher numbered port is the secondary port and connects to LAN-B.

The PRP channel remains up as long as at least one of these member ports remains up and sends traffic. When both member ports are down, the channel is down. The total number of supported PRP channel groups is 2 per switch. The interfaces that you can use for each group on each switch series are fixed, as shown in the following table.

Platform

Channel Group

Ports

IE3400

Channel 1

Gig1/1 (LAN-A) and Gig1/ 2 (LAN-B) or Gig1/3 (LAN-A) and Gig1/4 (LAN-B

Channel 2

Gig2/1 (LAN-A) and Gig2/2 (LAN-B)

IE3400-H (X-Coded)

Channel 1

Gig1/1 (LAN-A) and Gig1/2 (LAN-B

Channel 2

Gig1/9 (LAN-A) and Gig1/10 (LAN-B)

IE3400-H (D-Coded)

Channel 1

Fa1/1 (LAN-A) and Fa1/2 (LAN-B)

Channel 2

Fa1/9 (LAN-A) and Fa1/10 (LAN-B)

Note

  • Switch ports that are not part of PRP can function normally and can be used just like any other port.

  • PoE Functionality is not affected and works as usual on the PRP-enabled port.

Mixed Traffic and Supervision Frames

Traffic egressing the RedBox PRP channel group can be mixed, that is, destined to either SANs (connected only on either LAN-A or LAN-B) or DANs. To avoid duplication of packets for SANs, the switch learns source MAC addresses from received supervision frames for DAN entries and source MAC addresses from non-PRP (regular traffic) frames for SAN entries and maintains these addresses in the node table. When forwarding packets out the PRP channel to SAN MAC addresses, the switch looks up the entry and determines which LAN to send to rather than duplicating the packet.

A RedBox with VDANs needs to send supervision frames on behalf of those VDANs. For traffic coming in on all other ports and going out PRP channel ports, the switch learns source MAC addresses, adds them to the VDAN table, and starts sending supervision frames for these addresses. Learned VDAN entries are subject to aging.

You can add static entries to the node and VDAN tables as described in Adding Static Entries to the Node and VDAN Tables. You can also display the node and VDAN tables and clear entries. See Verifying Configuration and Clearing All Node Table and VDAN Table Dynamic Entries.

PTP over PRP

Precision Time Protocol (PTP) can operate over Parallel Redundancy Protocol (PRP). PRP provides high availability through redundancy for PTP. For a description of PTP, see Configuring Precision Time Protocol.

The PRP method of achieving redundancy by parallel transmission over two independent paths (see Information About PRP) does not work for PTP as it does for other traffic. The delay experienced by a frame is not the same in the two LANs, and some frames are modified in the transparent clocks (TCs) while transiting through the LAN. A Dually Attached Node (DAN) does not receive the same PTP message from both ports even when the source is the same. Specifically:

  • Sync/Follow_Up messages are modified by TCs to adjust the correction field.

  • Boundary Clocks (BCs) present in the LAN are not PRP-aware and would generate their own Announce and Sync frames with no Redundancy Control Trailer (RCT) appended.

  • Follow_Up frames are generated by every 2-step clock and carry no RCT.

  • TCs are not PRP-aware and not obliged to forward the RCT, which is a message part that comes after the payload.

Previously, PTP traffic was allowed only on LAN-A to avoid the issues with PTP and parallel transmission described earlier. However, if LAN-A went down, PTP synchronization was lost. To enable PTP to leverage the benefit of redundancy offered by the underlying PRP infrastructure, PTP packets over PRP networks are handled differently than other types of traffic. The implementation of the PTP over PRP feature is based on the PTP over PRP operation that is detailed in IEC 62439-3:2016, Industrial communication networks - High availability automation networks - Part 3: Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR). This approach overcomes the problems mentioned earlier by not appending an RCT to PTP packets and bypassing the PRP duplicate/discard logic for PTP packets.

PTP over PRP Packet Flow

The following figure illustrates the operation of PTP over PRP.

Figure 2. PTP over PRP Packet Flow

In the figure, VDAN 1 is the grandmaster clock (GMC). Dually attached devices receive PTP synchronization information over both their PRP ports. The LAN-A port and LAN-B port use a different virtual clock that is synchronized to the GMC. However, only one of the ports (referred to as time recipient) is used to synchronize the local clock (VDAN 2 in the figure). While the LAN-A port is the time recipient, the LAN-A port’s virtual clock is used to synchronize VDAN-2. The other PRP port, LAN-B, is referred to as PASSIVE. The LAN-B port’s virtual clock is still synchronized to the same GMC, but is not used to synchronize VDAN 2.

If LAN-A goes down, the LAN-B port takes over as the time recipient and is used to continue synchronizing the local clock on RedBox 2. VDAN 2 attached to RedBox 2 continues to receive PTP synchronization from RedBox 2 as before. Similarly, all DANs, VDANs, and Redboxes shown in the figure continue to remain synchronized. Note that for SANs, redundancy is not available, and in this example, SAN 1 loses synchronization if LAN-A goes down.

Due to the change, VDAN 2 may experience an instantaneous shift in its clock due to the offset between the LAN-A port’s virtual clock and the LAN-B port’s virtual clock. The magnitude of the shift should only be a few microseconds at the most, because both clocks are synchronized to the same GMC. The shift also occurs when the LAN-A port comes back as time recipient and the LAN-B port becomes PASSIVE.


Note

Cisco is moving from the traditional Master/Slave nomenclature. In this document, the terms Grandmaster clock (GMC) or time source and time recipient are used instead.

Supported Location of GMC

The GMC can be located in a PTP over PRP topology as one of the following:

  • A Redbox that is connected to both LAN A and LAN B (for example, RedBox 1 in the preceding diagram).

  • A VDAN (for example, VDAN 1 in the preceding diagram).

  • A DAN (for example, the DAN in the preceding diagram).

The GMC cannot be a SAN attached to LAN-A or LAN-B, because only the devices in LAN-A or LAN-B will be synchronized to the GMC.

Configuration

PTP over PRP does not require configuration beyond how you would normally configure PTP and PRP separately, and there is no user interface added for this feature. The difference is that before the PTP over PRP feature, PTP worked over LAN-A only; now it works over both LANs. Before implementing PTP over PRP, refer to Guidelines and Limitations.

The high-level workflow to implement PTP over PRP in your network is as follows:

  1. Refer to PRP RedBox Types to determine the location of the PRP RedBox. Refer to Configuring Precision Time Protocol to determine PTP mode and profile.

  2. Configure PTP as described in Configuring Precision Time Protocol, following the procedure for the PTP profile determined in step 1.

  3. Configure PRP as described in Creating a PRP Channel and Group.

Supported PTP Profiles and Clock Modes

The following table summarizes PTP over PRP support for the various PTP profiles and clock modes. In unsupported PTP profile/clock mode combinations, PTP traffic flows over LAN-A only. LAN-A is the lower numbered interface. See PRP Channels for PRP interface numbers.

PTP Profile

Clock Mode

Supported?

PRP RedBox type as per IEC 62439-3
Delay Request-Response Default PTP profile BC Yes PRP RedBox as doubly attached BC (DABC) with E2E
E2E TC No PRP RedBox as doubly attached TC (DATC) with E2E
Power Profile BC Yes PRP RedBox as doubly attached BC (DABC) with P2P
P2P TC Yes PRP RedBox as doubly attached TC (DATC) with P2P

PRP RedBox Types

The switch plays the role of a RedBox in PRP networks. This section describes the types of PRP RedBoxes supported for PTP over PRP as defined in IEC 62439-3.

PRP RedBox as a Doubly Attached BC (DABC) with E2E

In the configuration shown below, two RedBoxes (for example, M and S) are configured as Boundary Clocks (BCs) that use the End-to-End delay measurement mechanism and IEEE1588v2 Default Profile. The Best Master Clock Algorithm (BMCA) on RedBox M determines port A and port B to be connected to the time source. The PTP protocol running on Redbox M treats both ports A and B individually as time source ports and sends out Sync and Follow_Up messages individually on both the ports.

Figure 3. PRP Redbox as DABC with E2E

On Redbox S, the regular BMCA operation determines port A to be a time recipient and port B to be PASSIVE. However, with the knowledge that ports A and B are part of the same PRP channel, port B is forced into PASSIVE_SLAVE state. Port A and Port B on Redbox S operate as follows:

  • Port A works as a regular time recipient port. It uses the end-to-end delay measurement mechanism to calculate delay and offset from the time source. Using the calculated delay and offset, it synchronizes the local clock.

  • Port B is in PASSIVE_SLAVE state. It uses the end-to-end delay measurement mechanism to calculate delay and offset from the time source.

    It is passive in the sense that it maintains the calculated delay and offset, but does not perform any operation on the local clock. Having the delay and offset information readily available equips it to seamlessly change its role to time recipient if there is loss of connectivity to the time source on port A.

PRP RedBox as Doubly Attached BC (DABC) with P2P

The following figure shows an example where Redbox M and Redbox S are configured to run in Power Profile as Boundary Clocks that use Peer-to-Peer (P2P) delay measurement mechanism. In this example, the GMC is the ordinary clock attached through LAN C. All the clocks are configured to run Peer-to-Peer Delay measurement and the peer delay is regularly calculated and maintained on every link shown in the figure.

The BMCA on Redbox M determines ports A and B to be connected to the time source. The PTP protocol running on Redbox M treats both ports A and B individually as time source ports and sends out Sync and Follow_Up messages individually on both the ports.

Figure 4. PRP Redbox as DABC with P2P

On Redbox S, the regular BMCA operation determines port A to be time recipient and port B to be PASSIVE. However, with the knowledge that ports A and B are part of the same PRP channel, port B is forced into PASSIVE_SLAVE state. Port A and Port B on Redbox S operate as follows:

  • Port A works as a regular time recipient port. It uses the Sync and Follow_Up messages along with their correction field to calculate the delay and offset from time source and synchronize the local clock. (Unlike an E2E BC, it does not need to generate Delay_Req messages because all the link delays and residence times along the PTP path are accumulated in the correction field of the Follow_Up messages).

  • Port B is in PASSIVE_SLAVE state. Like port A, it maintains the delay and offset from time source, but does not perform any operation on the local clock. Having all the synchronization information available enables it to seamlessly take over as the new time recipient in case port A loses communication with the GM.

PRP RedBox as Doubly Attached TC (DATC) with P2P

The following figure shows an example where Redbox M and Redbox S are configured to run in Power Profile mode as Transparent Clocks. In this example, the GMC is the ordinary clock attached through LAN C. All the clocks are configured to run Peer-to-Peer Delay measurement and the peer delay is regularly calculated and maintained on every link shown in the figure.

Redbox M and Redbox S run BMCA even though it is not mandatory for a P2P TC to run BMCA. On Redbox M, the BMCA determines ports A and B to be connected to the time source. Redbox M forwards all Sync and Follow_Up messages received on port C out of ports A and B.

Figure 5. PRP Redbox as DATC with P2P

On Redbox S, port A is determined to be time recipient and port B to be PASSIVE_SLAVE as described earlier. Port A and Port B on Redbox S operate as follows:

  • Port A works as a regular time recipient port. It uses the Sync and Follow_Up messages along with their correction field to calculate the delay and offset from time source and synchronize the local clock. (Unlike an E2E BC, it does not need to generate Delay_Req messages since all the link delays and residence times along the PTP path are accumulated in the correction field of the Follow_Up messages).

  • Like port A, port B maintains the delay and offset from time source, but does not perform any operation on the local clock. Having all the synchronization information available enables it to seamlessly take over as the new time recipient in case port A loses communication with the GMC.

LAN-A and LAN-B Failure Detection and Handling

Failures in LAN-A and LAN-B are detected and handled in the same way for all Redbox types described in PRP RedBox Types.

Using the example shown in PRP Redbox as DATC with P2P with the GMC as a SAN in LAN C, a failure in LAN-A or LAN-B pertaining to PTP can occur due to the following reasons:

  • A device within the LAN goes down.

  • A link within the LAN goes down resulting in loss of connectivity.

  • PTP messages are dropped within the LAN.

These events result in PTP Announce Receipt Timeout on Redbox S, which triggers the BMCA calculation. Refer to section 7.7.3.1 of the IEEE 1588v2 standard for details on Announce Receipt Timeout.

The BMCA, once invoked, changes the state of the PASSIVE_SLAVE port to time recipient and time recipient to PASSIVE_SLAVE or PASSIVE or FAULTY. The state changes are done atomically to avoid transient cases where there are two time recipient ports or two PASSIVE_SLAVE ports.

Redbox S now synchronizes to the GMC over the new time recipient port. The change to synchronization should be quick and seamless, unless the delays experienced by PTP packets on the two LANs are very different or if there are some non-PTP devices in the LANs.

The SAN time recipient in LAN D also sees this shift in the timing from Redbox S and needs to converge to the new clock. This is similar to a GMC change event for this clock, but as mentioned earlier, the change is usually seamless.

VLAN Tag in Supervision Frame

From Cisco IOS XE Release 17.16.1, the Parallel Redundancy Protocol (PRP) supports VLAN-aware to allow supervision frames to be tagged with VLAN IDs. This helps to manage large networks by breaking them into smaller, more manageable VLAN domains, reducing the load on the Node Table and preventing overloads.

With the three new CLI commands, vlan-aware-enable, vlan-aware-allowed-vlan, vlan-aware-reject-untagged, you can enable or disable the PRP Supervision VLAN Aware mode, and configure Allowed VLANs and Reject Untagged Supervision Frames. For details, see Configuring PRP Channel with Supervision Frame VLAN Tagging for configuration information.

The switch supports VLAN tagging for supervision frames. PRP VLAN tagging requires that PRP interfaces be configured in trunk mode. This feature allows you to specify a VLAN ID in the supervision frames for a PRP channel.

In the example configuration below, PRP channel 1 interface is configured in trunk mode with allowed VLANs 10 and 20. Supervision frames are tagged with VLAN ID 10. Redbox1 sends Supervision frames on behalf of VDANs with the PRP VLAN ID, but the regular traffic from VDANs goes over the PRP channel based on the PRP trunk VLAN configuration.

Figure 6. VLAN tagging in supervision frames

See Configuring PRP Channel with Supervision Frame VLAN Tagging for configuration information.

TrustSec Configuration on PRP Interface

You can configure TrustSec on member interfaces of a PRP channel. This feature is supported on IE3400 and IE3400H switches only.

Because TrustSec is supported only on physical interfaces, you cannot configure TrustSec on the logical PRP channel interface. A PRP channel includes two interfaces, for example, Gi1/1 and Gi1/2. To configure TrustSec on interfaces that are members of a PRP channel, ensure that the following conditions are met:

  • The Network Advantage license is required to use TrustSec.

  • Configure TrustSec on each interface first, before it is part of the PRP channel.

  • The TrustSec configuration on both PRP channel interfaces must be the same to allow inline tagging and propagation with LAN-A and LAN-B as expected.

You can configure the PRP channel interfaces using the interface range <> command or by configuring each individual interface, as shown in the following examples.

Valid Configuration

This example shows configuring TrustSec on each interface one at a time and then making that individual interface part of a PRP channel. In configuration example below, the interfaces are in Access mode. All traffic including supervision frames will be sent natively on vlan 10. 


switch#configure terminal
switch(config)#int gi1/1 
switch(config-if)#switchport mode access 
switch(config-if)#switchport access vlan 30 
switch(config-if)#cts manual 
switch(config-if-cts-manual)#policy static sgt 1000 trusted 
switch(config-if-cts-manual)#exit 
switch(config-if)#prp-channel-group 1 
Creating a PRP-channel interface PRP-channel 1 

switch(config-if)# 
switch(config-if)#int gi1/2 
switch(config-if)#switchport mode access 
switch(config-if)#switchport access vlan 30 
switch(config-if)#cts manual 
switch(config-if-cts-manual)#policy static sgt 1000 trusted 
switch(config-if-cts-manual)#exit 
switch(config-if)#prp-channel-group 1 
switch(config-if)#end

This example shows configuring TrustSec on a range of interfaces and then making the interfaces part of a PRP channel.


switch#configure terminal
switch(config-if)#int range gi1/1-2 
switch(config-if)#switchport mode access 
switch(config-if)#switchport access vlan 30 
switch(config-if)#cts manual 
switch(config-if-cts-manual)#policy static sgt 1000 trusted 
switch(config-if-cts-manual)#exit 
switch(config-if)#prp-channel-group 1 
Creating a PRP-channel interface PRP-channel 1

The configuration in the following example is invalid because the interface is configured as a member of a PRP channel before the attempt to configure TrustSec. 


switch#configure terminal
switch(config)#int gi1/1 
switch(config-if)#prp-channel-group 1 
Creating a PRP-channel interface PRP-channel 1 

switch(config-if)#switchport mode access 
switch(config-if)#switchport access vlan 30 
switch(config-if)#cts manual 
Interface is a member of a port channel. To change CTS first remove from port channel.
switch(config-if)#

Prerequisites

  • IE3400, IE3400 with IEM-3400 or IE3400H.

  • Network Advantage License

  • Cisco IOS XE 17.4 or greater for two PRP channel support

Guidelines and Limitations

  • PRP traffic load cannot exceed 90% bandwidth of the Gigabit Ethernet interface channels.

  • Because PRP DANs and RedBoxes add a 6-byte PRP trailer to the packet, PRP packets can be dropped by some switches with a maximum transmission unit (MTU) size of 1500. To ensure that all packets can flow through the PRP network, increase the MTU size for switches within the PRP LAN-A and LAN-B network to 1506 as follows:

    • system mtu 1506

    • system mtu jumbo 1506

  • A PRP channel must have two active ports that are configured within a channel to remain active and maintain redundancy.

  • Both interfaces within a channel group must have the same configuration.

  • For Layer 3, you must configure the IP address on the PRP channel interface.

  • To configure supervision frame VLAN tagging, you must configure interfaces in trunk mode.

    You cannot configure access mode on PRP interfaces when supervision frame vlan tag configuration exists. If you attempt to configure access mode on a PRP interface with supervision frame VLAN tagging, the system displays this message:

    %PRP_MSG-4-PRP_VLANTAG: Warning: Do not configure access mode for PRP interfaces with tagged supervision frames.

  • Load-balancing is not supported.

  • UDLD must be disabled on interfaces where PRP is enabled, especially if the interfaces have media-type sfp.

  • The spanning-tree bpdufilter enable command is required on the prp-channel interface. Spanning-tree BPDU filter drops all ingress/egress BPDU traffic. This command is required to create independent spanning-tree domains (zones) in the network.

  • The spanning-tree portfast edge trunk command is optional on the prp-channel interface but highly recommended. It improves the spanning-tree converge time in PRP LAN-A and LAN-B.

  • The show interface g1/1 or show interface g1/2 command should not be used to read PRP statistics if these interfaces are PRP channel members because the counter information can be misleading. Use the show interface prp-channel [1 | 2 ] command instead.

  • The Protocol status displays incorrectly for the Layer type = L3 section when you enter the show prp channel detail command. Refer to the Ports in the group section of the output for the correct Protocol status (CSCur88178). IE 5000 output is shown in the following example:

    The following example shows output for the IE5000 series switches:

    
show prp channel detail
 
PRP-channel listing: 
--------------------
PRP-channel: PR1
------------
Layer type = L3
 Ports: 2       Maxports = 2
 Port state = prp-channel is Inuse
 Protocol = Disabled
 
Ports in the group:
  1) Port: Gi1/17
   Logical slot/port = 1/17 Port state = Inuse
   Protocol = Enabled
  2) Port: Gi1/18
   Logical slot/port = 1/19 Port state = Inuse
   Protocol = Enabled

  • On IE3400 and IE3400H, PRP does not allow member ports in a PRP channel to be shut down. For example, issuing a shut on gi1/3 or gi1/4 when it is part of a PRP channel is not allowed.

    If you attempt to execute shut on a PRP member interface, the following message is displayed: 

    
switch(config)#int gi 1/3
switch(config-if)#shut
%Interface GigabitEthernet1/3 is configured in PRP-channel group, shutdown not permitted!

  • When an individual PRP interface goes down, show interface status continues to show a status of UP for the link. This is because the port status is controlled by the PRP module. Use the show prp channel command to confirm the status of the links, which will indicate if a link is down.

    The following example shows the output for the show prp channel command: 

    
show prp channel 2 detail
PRP-channel: PR2
------------
Layer type = L2
Ports: 2 Maxports = 2
Port state = prp-channel is Inuse
Protocol = Enabled
Ports in the group:
1) Port: Gi1/3
Logical slot/port = 1/3 Port state = Inuse
Protocol = Enabled
2) Port: Gi1/4
Logical slot/port = 1/4 Port state = Not-Inuse (link down)
Protocol = Enabled

  • PRP functionality can be managed using the CIP protocol. The following CIP commands for PRP are available on the IE3400:

    • show cip object prp <0-2>

    • show cip object nodetable <0-2>

  • The IE3400 does not have a separate PRP/HSR mode LED, unlike the IE4000 that has a PRP/HSR LED on the switch faceplate.

  • PRP is not supported on the IE3200 and IE3300 series of switches.

  • When an individual HSR interface goes down, show interface status continues to show a status of UP for the link. This is because the port status is controlled by the HSR/PRP module. Use the show hsr channel command to confirm the status of the links, which indicates if a link is down. The following example shows the output for the show hsr ring command: 

    Switch1# show hsr ring 1 detail
HSR-ring: HS1
Layer type = L2
 Operation Mode = mode-H
 Ports: 2       Maxports = 2
 Port state = hsr-ring is Inuse
 Protocol = Enabled  Redbox Mode = hsr-san
Ports in the ring:
  1) Port: Gi1/3
   Logical slot/port = 1/3      Port state = Inuse
        Protocol = Enabled
  2) Port: Gi1/4
   Logical slot/port = 1/4      Port state = Not-Inuse (link down)
        Protocol = Enabled
Ring Parameters:
 Redbox MacAddr: 34c0.f958.ee83
 Node Forget Time: 60000 ms
 Node Reboot Interval: 500 ms
 Entry Forget Time: 400 ms
 Proxy Node Forget Time: 60000 ms
 Supervision Frame COS option: 0
 Supervision Frame CFI option: 0
 Supervision Frame VLAN Tag option: Disabled
 Supervision Frame MacDa: 0x00
 Supervision Frame VLAN id: 0
 Supervision Frame Time: 3 ms
 Life Check Interval: 2000 ms
 Pause Time: 25 ms

PRP Supervision Frame VLAN Aware

  • Applicable for the IE3400/H platforms.

  • Disabled by default.

  • To activate the VLAN Aware feature, configure PRP channel as trunk mode.

  • The vlan-aware-allowed-vlan config is activated only when the vlan-aware mode is enabled.


    Note

    When prp vlan aware feature is enabled, following syslog message gets displayed:

    %PRP_MSG-4-PRP_VLANTAG: Warning: Please do not configure access mode for PRP interfaces with tagged supervision frames.

  • When vlan-aware is enabled, the prp channel-group 1 supervisionFrameOption vlan-tagged configuration is ignored.


    Note

    With PRP aware enabled, native VLAN (untagged), Supervision frames are sent out with the VLAN configured inSupervisionFrameOption vlan-id In switch(config)#prp channel-group 1 supervisionFrameOption vlan-id <vlan-id>, if the CLI is not configured, the Supervision Frames are sent out on the default VLAN 1.

  • The cos value used for the supervision frame can be configured using prp channel-group 1 supervisionFrameOption vlan-cos <cos value>. If cos value is not specified, the default cos value is 0.

Node and VDAN Tables

  • From Cisco IOS XE 17.16.1 release onwards, the VDAN Node table supports up to 1000 MAC accommodating more endpoints under a single IE3400 node for the PRP Supervision Frame VLAN Aware feature. Previously, the VDAN Node table supports up to 512 MAC.

  • From Cisco IOS XE 17.16.1 release onwards, the switch supports up to 1000 (SAN+DANP) entries in the node table. Previously, the switch supported up to 512 (SAN+DANP) entries in the node table.

  • From Cisco IOS XE 17.16.1 release onwards, the outputs of show vdan and node table displays the vlan tag information also along with the mac addresses.

  • The switch cannot send supervision frames for new VDANS when the VDAN table is full.

  • The maximum static Node/VDAN count is 16.

  • Hash collisions can limit the number of MAC addresses. If the node table is out of resources for learning a MAC address from a node, the switch will default to treating that node as a DAN.

  • After reload (before any MAC address is learned), the switch will temporarily treat the unlearned node as a DAN and duplicate the egress packets until an ingress packet or supervision frame is received from the node to populate an entry into the node table.

PTP over PRP

  • You must configure PRP and PTP separately. PTP over PRP works automatically without any additional configuration.

    No PTP configuration is available under interface prp-channel . The PRP channel member interfaces need to be individually configured for PTP. However, in most cases, you do not need to perform any PTP configuration on the interfaces because PTP is enabled by default on all physical Ethernet interfaces.


    Note

    You can use the show ptp port command to verify PTP over PRP configuration. In the command output, the LAN_B port may be displayed as “PASSIVE_SLAVE”.

  • PTP over PRP can coexist with Device Level Ring (DLR). In this scenario, the PRP RedBox is also part of a DLR network.

  • No configuration compatibility is enforced on the PRP channel member interfaces with respect to PTP.

    You can have different PTP configurations on PRP member interfaces. However, we recommend that you have identical PTP configurations on the interfaces that are part of the same PRP channel to allow for seamless transitions between PASSIVE_SLAVE and SLAVE states.

  • We recommend that the grandmaster (GM) clock be dually attached to both PRP LANs (as RedBox, VDAN, or DAN). If a GM is singly attached to one of the PRP LANs, only the devices in that LAN will be synchronized to the GM.

  • PTP over PRP supports only the Redbox types described in PRP RedBox Types. The following Redbox types described in IEC 62439-3, Section A are not supported:

    • PRP RedBoxes as three-port BCs (TWBC) - Section A.4.5.2

    • PRP RedBox as DATC with E2E - Section A.4.5.4.1

    • PRP RedBox as a stateless TC (SLTC) - Section A.4.5.5

  • To prevent any switch within PRP LAN-A/B from becoming a Grand Master, when PTP over PRP is configured for the system, other switches in PRP LAN-A and LAN-B should not be configured for PTP boundary mode. PTP transparent mode on PRP LAN-A/B switches is recommended in a time-sensitive environment.

  • IE switch platforms do not support PTP profile conversion. For example, if RedBox S in PRP Redbox as DABC with P2P were an IE switch, it would not support Delay_Req/Delay_Resp message exchange with LAN D shown in the figure. It would only support Peer-to-Peer delay measurement mechanism using PDelay messages.

  • PTP VLAN behavior remains unchanged by the PTP over PRP feature.

Default Settings

By default, no PRP channel exists on the switch until you create it. Interfaces that can be configured for PRP are fixed, as described in PRP Channels.

Creating a PRP Channel and Group

To create and enable a PRP channel and group on the switch, follow these steps:

Before you begin

  • Review the specific interfaces supported for each switch type, described in PRP Channels.

  • Review the Prerequisites and Guidelines and Limitations.

  • Ensure that the member interfaces of a PRP channel are not participating in any redundancy protocols such as FlexLinks, EtherChannel, or REP, before creating a PRP channel.

The following example is based on the IE3400. Adjust the interface utilized based on the earlier information.

Procedure

Step 1

Enter global configuration mode:

configure terminal

Step 2

Assign two Gigabit Ethernet interfaces to the PRP channel group. For channel 1, enter:

Step 3

(Optional) For Layer 2 traffic, enter switchport . (Default):

switchport

Note

 

For Layer 3 traffic, enter no switchport .

Step 4

(Optional) Set a nontrunking, non-tagged single VLAN Layer 2 (access) interface:

switchport mode access

Step 5

(Optional) Create a VLAN for the Gigabit Ethernet interfaces:

switchport access vlan <value>

Note

 

Only required for Layer 2 traffic.

Step 6

(Optional) Disable Precision Time Protocol (PTP) on the switch:

no ptp enable

PTP is enabled by default. You can disable it if you do not need to run PTP.

Step 7

Disable loop detection for the redundancy channel:

no keepalive

Step 8

Disable UDLD for the redundancy channel:

udld port disable

Step 9

Enter subinterface mode and create a PRP channel group:

prp-channel-group prp-channel group

prp-channel group—Value of 1 or 2

The two interfaces that you assigned in step 2 are assigned to this channel group.

The no form of this command is not supported.

Step 10

Bring up the PRP channel:

no shutdown

Step 11

Specify the PRP interface and enter interface mode:

interface prp-channel prp-channel-number

prp-channel-number—Value of 1 or 2

Step 12

Configure bpdufilter on the prp-channel interface:

spanning-tree bpdufilter enable

Spanning-tree BPDU filter drops all ingress/egress BPDU traffic. This command is required to create independent spanning-tree domains (zones) in the network.

Step 13

(Optional) Configure LAN-A/B ports to quickly get to FORWARD mode:

spanning-tree portfast edge trunk

This command is optional but highly recommended. It improves the spanning-tree convergence time on PRP RedBoxes and LAN-A and LAN-B switch edge ports. It is also highly recommended to configure this command on the LAN_A/LAN_B ports that are directly connected to a RedBox PRP interface.

Examples

This example shows how to create a PRP channel, create a PRP channel group, and assign two ports to that group.


switch# configure terminal
switch(config)# interface range GigabitEthernet1/1-2
switch(config-if)# no keepalive
switch(config-if)# udld port disable
switch(config-if)# prp-channel-group 1
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)# interface prp-channel 1
switch(config)# spanning-tree bpdufilter enable

This example shows how to create a PRP channel with a VLAN ID of 2.


switch# configure terminal
switch(config)# interface range GigabitEthernet1/1-2
switch(config-if)# switchport
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 2
switch(config-if)# no ptp enable
switch(config-if)# no keepalive
switch(config-if)# udld port disable
switch(config-if)# prp-channel-group 1
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)# interface prp-channel 1
switch(config)# spanning-tree bpdufilter enable

This example shows how to create a PRP channel on a switch configured with Layer 3.


switch# configure terminal
switch(config)# interface range GigabitEthernet1/1-2
switch(config-if)# no switchport
switch(config-if)# no ptp enable
switch(config-if)# no keepalive
switch(config-if)# udld port disable
switch(config-if)# prp-channel-group 1
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)# interface prp-channel 1
switch(config)# spanning-tree bpdufilter enable
switch(config)# ip address 192.0.0.2 255.255.255.0

Configuring PRP Channel with Supervision Frame VLAN Tagging

To create and enable a PRP channel and group on the switch with VLAN-tagged supervision frames, follow these steps:

Before you begin

  • Review the specific interfaces supported per switch type, described in PRP Channels.

  • Review the Prerequisites and Guidelines and Limitations.

  • Ensure that the member interfaces of a PRP channel are not participating in any redundancy protocols such as FlexLinks, EtherChannel, REP, and so on before creating a PRP channel.

The following example is based on the IE3400. Adjust the interface utilized based on the earlier information.

Procedure

  Command or Action Purpose

Step 1

Enter global configuration mode:

configure terminal

Step 2

Assign two Gigabit Ethernet interfaces to the PRP channel group. For channel 1, enter:

interface range {GigabitEthernet1/1-2 | GigabitEthernet1/3-4}

For channel 2, enter:

interface range {GigabitEthernet2/1-2 | GigabitEthernet1/9-10}

Gi1/9 and Gi 1/10 are supported for IE3400H only. See PRP Channels.

Use the no interface prp-channel 1 |2 command to disable PRP on the defined interfaces and shut down the interfaces.

Step 3

Configure the PRP interface for trunk administrative mode, to allow the interface to carry traffic for more than one VLAN.

switchport mode trunk

Step 4

Specify the allowed VLANS for the trunk interface:

switchport trunk allowed vlan value

value—Allowed VLAN number from 0 to 4095 or list of VLANs separated by commas.

Step 5

(Optional) Disable Precision Time Protocol (PTP) on the switch:

no ptp enable

PTP is enabled by default. You can disable it if you do not need to run PTP.

Step 6

Disable loop detection for the redundancy channel:

no keepalive

Step 7

Disable UDLD for the redundancy channel:

udld port disable

Step 8

Enter sub-interface mode and create a PRP channel group:

prp-channel-group prp-channel group

prp-channel group—Value of 1 or 2

The two interfaces that you assigned in step 2 are assigned to this channel group.

The no form of this command is not supported.

Step 9

Bring up the PRP channel:

no shutdown

Step 10

Specify the PRP interface and enter interface mode:

interface prp-channel prp-channel-number

prp-channel-number—Value of 1 or 2

Step 11

Configure bpdufilter on the prp-channel interface:

spanning-tree bpdufilter enable

Spanning-tree BPDU filter drops all ingress/egress BPDU traffic. This command is required to create independent spanning-tree domains (zones) in the network.

Step 12

Enable the VLAN for the Supervison Frame option on the PRP channel group.

prp channel-group prp-channel-number supervisionFrameOption vlan-aware-enable

The command activates the supervision frame VLAN functionality to ensure supervision frames are sent with tags matching the VLAN of the associated VDAN. These tagged frames are then logged in the node table of the remote RedBox.

Step 13

Specify the VLANs to be recorded in the node table, for the Supervison Frame option on the PRP channel group.

prp channel-group prp-channel-number supervisionFrameOption vlan-aware-allowed-vlan

The command ensure only the listed VLANs are learned and recorded, while supervision frames from other VLANs are ignored.

Note

 

The VLAN aware enable feature must be enabled before setting this feature.

Step 14

(Optional) Specify the VLANs to reject untagged frames in the node table, for the Supervison Frame option on the PRP channel group.

prp channel-group prp-channel-number supervisionFrameOption vlan-aware-reject-untagged

The command rejects untagged supervision frames and prevents them from being recorded in the node table. By default, untagged frames are recorded.

Note

 

The VLAN aware enable feature must be enabled before setting this feature.

Step 15

Set the VLAN ID to be used in VLAN tags for supervision frames:

prp channel-group prp-channel-number supervisionFrameOption vlan-id value

prp-channel-number—Value of 1 or 2

value—VLAN number from 0 to 4095

Step 16

(Optional) Configure the Class of Service (COS) value to be set in the VLAN tag of the supervision frame:

prp channel-group prp-channel-number supervisionFrameOption vlan-cos value

value—Range is 1 - 7. Default is 1.

Step 17

Enable VLAN tagging on the interface:

prp channel-group prp-channel-number supervisionFrameOption vlan-tagged value

prp-channel-number—Value of 1 or 2

Step 18

(Optional) Configure LAN-A/B ports to quickly get to FORWARD mode:

spanning-tree portfast edge trunk

This command is optional but highly recommended. It improves the spanning-tree convergence time on PRP RedBoxes and LAN-A and LAN-B switch edge ports. It is also highly recommended to configure this command on the LAN_A/LAN_B ports directly connected to a RedBox PRP interface.

Example

REDBOX1# configure terminal
REDBOX1(config)#int range GigabitEthernet1/1-2                                   
REDBOX1(config-if)#switchport mode trunk
REDBOX1(config-if)#switchport trunk allowed vlan 10,20 
REDBOX1(config-if)# no ptp enable
REDBOX1(config-if)# no keepalive
REDBOX1(config-if)# udld port disable
REDBOX1(config-if)# no shutdown
REDBOX1(config-if)# exit
REDBOX1(config)# prp channel-group 1 supervisionFrameOption vlan-aware-enable
REDBOX1(config)# prp channel-group 1 supervisionFrameOption vlan-aware-allowed-vlan 10, 20
REDBOX1(config)# prp channel-group 1 supervisionFrameOption vlan-aware-reject-untagged
REDBOX1(config)#prp channel-group 1 supervisionFrameOption vlan-tagged
REDBOX1(config)#prp channel-group 1 supervisionFrameOption vlan-id 10
REDBOX1(config)# spanning-tree bpdufilter enable
REDBOX1(config-if)#spanning-tree portfast edge trunk

Note

When vlan-aware is enabled, the prp channel-group 1 supervisionFrameOption vlan-tagged configuration is ignored.

Adding Static Entries to the Node and VDAN Tables

Follow this procedure to add a static entry to the node or VDAN table.

Procedure

Step 1

Enter global configuration mode:

configure terminal

Step 2

Specify the MAC address to add to the node table for the channel group and whether the node is a DAN or a SAN (attached to either LAN-A or LAN-B):

prp channel-group prp-channel group nodeTableMacaddress mac-address {dan | lan-a | lan-b}

prp-channel group —Value of 1 or 2

mac-address— MAC address of the node

Note

 

Use the no form of the command to remove the entry.

Step 3

Specify the MAC address to add to the VDAN table:

prp channel-group prp-channel group vdanTableMacaddress mac-address

prp-channel group —Value of 1 or 2

mac-address— MAC address of the node or VDAN

Note

 

Use the no form of the command to remove the entry.

Step 4

(Optional) Specify the static VDAN entry with VLAN ID to add to the VDAN table:

prp channel-group prp-channel group vdanTableMacaddress mac-addressvlan-id value

value —VLAN number from 0 to 4095

Note

 

This command is applicable from Cisco IOS XE 17.16.1 release

Example


switch# configure terminal
switch(config)# prp channel-group 1 nodeTableMacaddress 0000.0000.0001 lan-a

switch(config)# prp channel-group 1 vdanMacaddress 0000.0000.0001 vlan-id 345

Clearing All Node Table and VDAN Table Dynamic Entries

To clear all dynamic entries in the node table, enter

clear prp node-table [channel-group group ]

To clear all dynamic entries in the VDAN table, enter

clear prp vdan-table [channel-group group ]

If you do not specify a channel group, the dynamic entries are cleared for all PRP channel groups.


Note

The clear prp node-table and clear prp vdan-table commands clear only dynamic entries. To clear static entries, use the no form of the nodeTableMacaddress or vdanTableMacaddress commands shown in Adding Static Entries to the Node and VDAN Tables.

Disabling the PRP Channel and Group

Procedure

Step 1

Enter global configuration mode:

configure terminal

Step 2

Disable the PRP channel:

no interface prp-channel prp-channel-number

prp-channel number— Value of 1 or 2

Step 3

Exit interface mode:

exit

Verifying Configuration

Command

Purpose
show prp channel {1 | 2 [detail | status | summary ] | detail | status | summary }

Displays configuration details for a specified PRP channel.
show prp control {VdanTableInfo | ptpLanOption | ptpProfile | supervisionFrameLifeCheckInterval | supervisionFrameOption | supervisionFrameRedboxMacaddress | supervisionFrameTime }

Displays PRP control information, VDAN table, and supervision frame information.
show prp node-table [channel-group <group > | detail ]

Displays PRP node table.
show prp statistics {egressPacketStatistics | ingressPacketStatistics | nodeTableStatistics | pauseFrameStatistics | ptpPacketStatistics }

Displays statistics for PRP components.
show prp vdan-table [channel-group <group > | detail ]

Displays PRP VDAN table.
show interface prp-channel {1 | 2 }

Displays information about PRP member interfaces.

show prp control VlanAwareTableInfo

Displays VLAN Aware mode is enabled or disabled under Allowed VLANs.

Note

The show interface g1/1 or show interface g1/2 command should not be used to read PRP statistics if these interfaces are PRP channel members because the counter information can be misleading. Use the show interface prp-channel [1 | 2 ] command instead.

The following example shows the output for show prp channel when one of the interfaces in the PRP channel is down. 


show prp channel 2 detail
PRP-channel: PR2
------------
Layer type = L2
Ports: 2 Maxports = 2
Port state = prp-channel is Inuse
Protocol = Enabled
Ports in the group:
1) Port: Gi1/3
Logical slot/port = 1/3 Port state = Inuse
Protocol = Enabled
2) Port: Gi1/4
Logical slot/port = 1/4 Port state = Not-Inuse (link down)
Protocol = Enabled
The following example shows how to display the PRP node table and PRP VDAN table.

Note

The table has the details for Mac Address, Type, Dyn, and, TTL. From Cisco IOS XE 17.16.1 release onwards, Tag and Vlan details are also available. 


Switch#show prp node-table
PRP Channel 1 Node Table
==================================
     Mac Address   Type  Dyn   TTL    Tag    Vlan
---------------- ----- --- -------
 6C71.0D42.6A85  danp  Y     59         Y       100
 F8A7.3A99.EE10  danp  Y     54        Y       200
 A098.BB3E.0002   danp  Y     59        Y        30
 A098.BB3E.0003   danp   Y    59         Y       40 

==================================
Channel 1 Total Entries: 2
Switch#show prp vdan-table
PRP Channel 1 VDAN Table
============================
   Mac Address   Dyn   TTL   Tag   Vlan
---------------- --- -------
 E069.BAA3.2D22   N     -       N         -
 E069.BAA3.2D21   N     -       N         -
 A098.BB3E.0002    Y     -       Y         30
 A098.BB3E.0003    Y     -       Y         40

============================
Channel 1 Total Entries: 2

The following example shows output for the show prp control supervisionFrameOption command with and without VLAN tagging added to the PRP channel. A VLAN value field of 1 means that VLAN tagging is enabled, and a value of 0 means that VLAN tagging is disabled. From Cisco IOS XE 17.16.1 release, the output shows the VLAN Aware mode if enabled or diabled, and also reject untagged. 

REDBOX1#show prp control supervisionFrameoption
 PRP channel-group 1 Super Frame Option 
  COS value is 0
  CFI value is 0
  VLAN value is 0
  MacDA value is 0
  VLAN id value is 0
  VLAN aware mode : disabled
  VLAN aware reject untagged : disabled
 PRP channel-group 2 Super Frame Option 
  COS value is 0
  CFI value is 0
  VLAN value is 0
  MacDA value is 0
  VLAN id value is 0
  VLAN aware mode : disabled
  VLAN aware reject untagged : disabled

 
REDBOX1#

The following example shows output for the show prp control VlanAwareTableInfo command. This command is from Cisco IOS XE 17.16.1 release onwards. 

REDBOX1#show prp control VlanAwareTableInfo 
PRP Channel 1 Vlan Aware Table
 VLAN Aware mode Enabled
Allowed Vlans :
   Vlan 10
   Vlan 11
   Vlan 12
   Vlan 13
   Vlan 14
   Vlan 15
Number of allowed Vlans : 6
PRP Channel 2 Vlan Aware Table
 VLAN Aware mode Disabled
Allowed Vlans :
Number of allowed Vlans : 0

REDBOX1#

The PRP ingress statistics shows Supervision Frame drop count when VLAN aware feature is enabled. This indicates the count of Sup frames rejected and not learned in the Node Table. The default statistics display behavior starts from Cisco IOS XE 17.16.1 release with or without vlan aware feature.The following example shows output for the show prp statistics ingressPacketStatistics command. 

REDBOX1#show prp statistics ingressPacketStatistics 
PPRP prp_maxchannel 2 INGRESS STATS:
 PRP channel-group 1 INGRESS STATS:
   ingress pkt lan a: 87007
   ingress pkt lan b: 83196
   ingress crc lan a: 0
   ingress crc lan b: 0
   ingress danp pkt acpt: 5
   ingress danp pkt dscrd: 5
   ingress supfrm rcv a: 1385
   ingress supfrm rcv b: 1385
   ingress supfrm drop a: 100
   ingress supfrm drop b: 100
   ingress over pkt a: 0
   ingress over pkt b: 0
   ingress pri over pkt a: 0
   ingress pri over pkt b: 0
   ingress oversize pkt a: 0
   ingress oversize pkt b: 0


REDBOX1#

Configuration Examples

The following diagram shows a network configuration in which the IE3400 and IE3400H might operate. The commands in this example highlight the configuration of features and switches to support that configuration.

In this example, the configuration establishes two LANs, LAN-1 and LAN-2, and two PRP channels. Within the topology, an IE3400 is identified as Redbox-1 and an IE3400H is identified as Redbox-2.

Following is the configuration for LAN-1:


diagnostic bootup level minimal
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 88589
!
!
alarm-profile defaultPort
 alarm not-operating 
 syslog not-operating 
 notifies not-operating 
!
!
!
transceiver type all
 monitoring
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1/1
 shutdown
!
interface GigabitEthernet1/2
 shutdown
!
interface GigabitEthernet1/4
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet1/5
 switchport access vlan 35
 switchport mode access
!
interface GigabitEthernet1/6
 shutdown
!
interface GigabitEthernet1/7
 shutdown
!
interface GigabitEthernet1/8
 shutdown
!
interface GigabitEthernet1/9
 shutdown
!
interface GigabitEthernet1/10
 shutdown
!
interface AppGigabitEthernet1/1
!
interface GigabitEthernet2/1
 shutdown
!
interface GigabitEthernet2/2
 shutdown
!
interface GigabitEthernet2/3
 shutdown
!
interface GigabitEthernet2/4
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet2/5
 switchport access vlan 35
 switchport mode access
!
interface GigabitEthernet2/6
 shutdown
!
interface GigabitEthernet2/7
 shutdown
!
interface GigabitEthernet2/8
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan35
 no ip address
!
interface Vlan25
 no ip address

The configuration for LAN-2 is shown below:


diagnostic bootup level minimal
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 88589
!
!
alarm-profile defaultPort
 alarm not-operating 
 syslog not-operating 
 notifies not-operating 
!
!
!
transceiver type all
 monitoring
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1/1
 shutdown
!
interface GigabitEthernet1/2
 shutdown
!
interface GigabitEthernet1/3
 shutdown
!
interface GigabitEthernet1/4
 shutdown
!
interface GigabitEthernet1/5
 shutdown
!
interface GigabitEthernet1/6
 shutdown
!
interface GigabitEthernet1/7
 shutdown
!
interface GigabitEthernet1/8
 switchport access vlan 25
 switchport mode access
 !
interface GigabitEthernet1/9
 switchport access vlan 35
 switchport mode access
!
interface GigabitEthernet1/10
 shutdown
!
interface AppGigabitEthernet1/1
!
interface GigabitEthernet2/1
 shutdown
!
interface GigabitEthernet2/2
 shutdown
!
interface GigabitEthernet2/3
 shutdown
!
interface GigabitEthernet2/4
 switchport access vlan 35
 switchport mode access
!
interface GigabitEthernet2/5
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet2/6
 shutdown
!
interface GigabitEthernet2/7
 shutdown
!
interface GigabitEthernet2/8
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan35
 no ip address
!
interface Vlan25
 no ip address

Following is the configuration for Redbox-1:

!
!
spanning-tree mode rapid-pvst
no spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
memory free low-watermark processor 88589
!
!
alarm-profile defaultPort
 alarm not-operating 
 syslog not-operating 
 notifies not-operating 
!
prp channel-group 1 supervisionFrameOption vlan-id 35
prp channel-group 1 supervisionFrameTime 25000
prp channel-group 1 supervisionFrameLifeCheckInterval 8500
prp channel-group 1 supervisionFrameRedboxMacaddress 34c0.f9e5.59ba
!
!
transceiver type all
 monitoring
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface PRP-channel1
 switchport access vlan 35
 switchport mode access
 spanning-tree bpdufilter enable
!
interface PRP-channel2
 switchport access vlan 25
 switchport mode access
 spanning-tree bpdufilter enable
! 
interface GigabitEthernet1/1
 switchport access vlan 35
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/2
 switchport access vlan 35
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
 switchport access vlan 35
 switchport mode access
!
interface GigabitEthernet1/5
!
interface GigabitEthernet1/6
 description ***** tftp connection *****
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface GigabitEthernet1/7
!
interface GigabitEthernet1/8
!
interface GigabitEthernet1/9
!
interface GigabitEthernet1/10
!
interface AppGigabitEthernet1/1
!
interface GigabitEthernet2/1
 switchport access vlan 25
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet2/2
 switchport access vlan 25
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet2/3
!
interface GigabitEthernet2/4
!
interface GigabitEthernet2/5
!
interface GigabitEthernet2/6
!
interface GigabitEthernet2/7
!
interface GigabitEthernet2/8
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan35
 ip address 35.35.35.1 255.255.255.0
!
interface Vlan25
 ip address 25.25.25.1 255.255.255.0 
!
interface Vlan100
 ip address 15.15.15.149 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip tftp source-interface Vlan100
ip tftp blocksize 8192
!

Following is the configuration for Redbox-2:


!
spanning-tree mode rapid-pvst
no spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
memory free low-watermark processor 88589
!
!
alarm-profile defaultPort
 alarm not-operating 
 syslog not-operating 
 notifies not-operating 
!
prp channel-group 1 supervisionFrameOption vlan-id 35
prp channel-group 1 supervisionFrameTime 776
prp channel-group 1 supervisionFrameLifeCheckInterval 15000
prp channel-group 1 passRCT
prp channel-group 2 supervisionFrameOption vlan-id 25
prp channel-group 2 supervisionFrameTime 9834
prp channel-group 2 supervisionFrameLifeCheckInterval 12345
prp channel-group 2 passRCT

!
!
!
transceiver type all
 monitoring
vlan internal allocation policy ascending
lldp run
!
! 
!
!
!
!
!
!
!
!
!
!
!
interface PRP-channel1
 switchport access vlan 35
 switchport mode access
 spanning-tree bpdufilter enable
!
interface PRP-channel2
 switchport access vlan 25
 switchport mode access
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/1
 shutdown
!
interface GigabitEthernet1/2
 shutdown
!
interface GigabitEthernet1/3
 switchport access vlan 35
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/4
 switchport access vlan 35
 switchport mode access
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/5
!
interface GigabitEthernet1/6
 description **** tftp connection ****
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface GigabitEthernet1/7
!
interface GigabitEthernet1/8
!
interface GigabitEthernet1/9
 description *** PRP 2 channel *****
 switchport access vlan 25
 switchport mode access
 no ptp enable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/10
 description *** PRP 2 channel *****
 switchport access vlan 25
 switchport mode access
 no ptp enable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/11
!
interface GigabitEthernet1/12
!
interface GigabitEthernet1/13
!
interface GigabitEthernet1/14
!
interface GigabitEthernet1/15
!
interface GigabitEthernet1/16
!
interface GigabitEthernet1/17
!
interface GigabitEthernet1/18
!
interface GigabitEthernet1/19
!
interface GigabitEthernet1/20
!
interface GigabitEthernet1/21
!
interface GigabitEthernet1/22
!
interface GigabitEthernet1/23
!
interface GigabitEthernet1/24
!
interface AppGigabitEthernet1/1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan35
 ip address 35.35.35.2 255.255.255.0
!
interface Vlan25
 ip address 25.25.25.2 255.255.255.0 
! 
interface Vlan100
 ip address 15.15.15.169 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip tftp source-interface Vlan100
ip tftp blocksize 8192
!
!
!

VLAN Tagging Example

The following example shows the configuration of a switch with PRP channel interfaces configured for VLAN tagging of supervision frames. 

PRP_IE3400#sh running-config 
Building configuration...

Current configuration : 8171 bytes
!
! Last configuration change at 05:19:31 PST Mon Mar 22 2021
!
version 17.5
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service call-home
no platform punt-keepalive disable-kernel-core
no platform punt-keepalive settings
no platform bridge-security all
!
hostname PRP_IE3400
!
!
no logging console
enable password Cisco123
!
no aaa new-model
clock timezone PST -8 0
rep bpduleak
ptp mode e2etransparent 
!
!
!
!
!
!
!
ip dhcp pool webuidhcp
   cip instance 1
!
!
!
login on-success log
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-559094202
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-559094202
 revocation-check none
 rsakeypair TP-self-signed-559094202
!
!
!
diagnostic bootup level minimal
!
!
!
spanning-tree mode rapid-pvst
no spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
memory free low-watermark processor 89983
!
!
alarm-profile defaultPort
 alarm not-operating 
 syslog not-operating 
 notifies not-operating 
!
prp channel-group 1 supervisionFrameOption vlan-tagged
prp channel-group 1 supervisionFrameOption vlan-id 30
prp channel-group 1 supervisionFrameTime 500
prp channel-group 1 supervisionFrameLifeCheckInterval 24907
prp channel-group 1 supervisionFrameRedboxMacaddress ecce.13eb.71a2
prp channel-group 2 supervisionFrameOption vlan-tagged
prp channel-group 2 supervisionFrameOption vlan-id 40
prp channel-group 2 supervisionFrameTime 0
prp channel-group 2 supervisionFrameLifeCheckInterval 0
prp channel-group 2 supervisionFrameRedboxMacaddress f8b7.e2e5.c1f9
!
!
!
transceiver type all
 monitoring
vlan internal allocation policy ascending
lldp run
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface PRP-channel1
 switchport mode trunk
 switchport trunk allowed vlan 30,40

 spanning-tree bpdufilter enable
!
interface PRP-channel2
 switchport mode trunk
 switchport trunk allowed vlan 30,40
 no keepalive
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/1
 switchport mode trunk
 switchport trunk allowed vlan 30,40
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/2
 switchport mode trunk
 switchport trunk allowed vlan 30,40
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 1
 spanning-tree bpdufilter enable
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface GigabitEthernet1/5
 shutdown
!
interface GigabitEthernet1/6
 switchport access vlan 197
 switchport mode access
!
interface GigabitEthernet1/7
!
interface GigabitEthernet1/8
!
interface GigabitEthernet1/9
!
interface GigabitEthernet1/10
 shutdown
!
interface AppGigabitEthernet1/1
!
interface GigabitEthernet2/1
 switchport mode trunk
 switchport trunk allowed vlan 30,40
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet2/2
 switchport mode trunk
 switchport trunk allowed vlan 30,40
 no ptp enable
 udld port disable
 no keepalive
 prp-channel-group 2
 spanning-tree bpdufilter enable
!
interface GigabitEthernet2/3
!
interface GigabitEthernet2/4
!
interface GigabitEthernet2/5
!
interface GigabitEthernet2/6
!
interface GigabitEthernet2/7
!
interface GigabitEthernet2/8
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan30
 ip address 30.30.30.1 255.255.255.0
!
interface Vlan40
 ip address 40.40.40.1 255.255.255.0
!
interface Vlan197
 ip address 9.4.197.30 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip tftp source-interface Vlan197
ip tftp blocksize 8192
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
line vty 0 4
 login
 transport input ssh
line vty 5 15
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
!
!
!
!
!
!
end

PRP_IE3400#

Feature History

Feature Name

Release

Feature Information

PRP Scalability - Supervisory Frame per VLAN

Cisco IOS XE 17.16.1

This feature is supported on IE3400/IE3400H.

IE PRP Node/VDAN Table Scale >1000

Cisco IOS XE 17.16.1

This feature is supported on IE3400/IE3400H.

TrustSec Configuration on PRP Interface

Cisco IOS XE 17.13

This feature is supported on IE3x00.

PRP Supervision Frame VLAN Tagging

Cisco IOS XE 17.5

Initial support on IE-3400 with IEM 3400 (Advanced Expansion) and IE3400H.

PRP channel 2 support

Cisco IOS XE 17.4

This feature is supported on IE 3400 with IEM 3400 (Advanced Expansion) and IE3400H.

Parallel Redundancy Protocol (1 PRP channel)

Cisco IOS XE 16.12.1

This feature is supported on IE-3400 with IEM 3400 (Advanced Expansion) and IE3400H.